This rule detects the execution of Microsoft DevTunnels (devtunnel.exe or devtunnel.dll) on Windows endpoints by correlating process creation events from EDR sources (Sysmon EventID 1, Windows Security log 4688, and CrowdStrike ProcessRollup2). It flags when a process with the image name devtunnel.exe or original_file_name devtunnel.dll is created, collecting associated process metadata (GUID, name, path, hash, user, parent process, command line, integrity level, working directory) and destination context. The detection is mapped to the Endpoint data model and uses Splunk CIM normalization to support cross-product visibility. MITRE technique T1090 (Proxy) is relevant, as DevTunnels can be abused to expose internal systems to the internet, enabling data exfiltration or covert C2 channels while blending with legitimate development traffic. The rule includes a Risk-Based Alert (RBA) with the message: “Potential Devtunnels execution observed on $dest$ via $process$.” Risk objects flag the destination host (score 20) and threat objects highlight the parent process name to aid investigation. Known false positives include legitimate DevTunnels usage by developers in approved environments; the rule suggests filtering alerts by development environments and users. Drilldowns support per-user/per-destination results and risk-event views over the last 7 days. Implementation requires ingestion of complete process command lines from EDRs, mapping to the Endpoint Processes CIM node, and normalization to enable accurate querying and alert correlation across platforms.