SEKOIA.IO recently added new playbooks that allow us to regularly collect and contextualize new observables related to ngrok or opendir servers. Thus IP addresses hosting ngrok or opendir servers are automatically added to our database of observables every day. Ngrok is a tool to run and manage tunneled services, used by both legitimate and malicious purposes. Opendir servers publicly expose all files in a specified directory, in this case on the Internet. This information on such IP addresses allows SOC or CTI analysts to quickly contextualize a security alert or operational CTI within the SEKOIA.IO platform itself. These observables can be found in the Intelligence Center in the [observables page](https://app.sekoia.io/intelligence/observables) by filtering on the tags `ngrok`, `opendir` or `opendir:exe` (opendir server hosting executable files - very suspicious). Security alerts in SEKOIA.IO XDR containing these IP addresses are automatically contextualized with these tags. Do not hesitate to write detection rules based on these tags to monitor traffic to ngrok or opendir servers.  The playbook template that allows us to collect this data is available to our SEKOIA.IO TIP customers and is shared in our community Github repository. Related Resource: * [SEKOIA.IO Community repository on Github](https://github.com/SEKOIA-IO/Community)