Detects potential protocol tunneling via Cloudflare Tunnel utility (cloudflared) on Windows endpoints. The rule triggers on process startup events where cloudflared.exe is the involved process and the command line contains tunnel-related arguments. Adversaries may leverage Cloudflare Tunnel to expose local services or create outbound tunnels for C2 traffic or data exfiltration, potentially evading direct connection blocks. The detection aligns with MITRE ATT&CK T1572 (Protocol Tunneling) under the C2 tactic (TA0011). The rule aggregates signals from multiple EDRs and Windows event sources (e.g., Sysmon, security logs) to improve confidence when cloudflared starts with tunnel usage. It includes metadata such as risk_score, severity, and references to Cloudflare/ATT&CK, and provides triage guidance, false positive considerations, and remediation steps to respond to confirmed unauthorized tunnels.