This detection rule identifies network connections initiated by processes on a Windows system to specific Cloudflared tunnel domains. The presence of these connections may indicate an attempt by an attacker to leverage Cloudfared tunneling services for nefarious purposes such as establishing reverse shells or maintaining persistence on compromised machines. The rule inspects outbound connections where the destination hostname is one of several Cloudflared tunnel domains (e.g., *.v2.argotunnel.com, trycloudflare.com) to flag potentially malicious activity. Given the versatility of such tunneling services, this rule is essential for recognizing and mitigating risks associated with unmonitored external communications initiated by compromised systems.