Detects Windows process executions that resemble cloudflared tunnel invocation. The rule flags command lines where a tunnel-related process (e.g., containing tunnel, run, or token) is launched, or where arguments include --url or localhost, indicating the Cloudflare tunnel client (cloudflared) initiating an outbound connection to Cloudflare edge servers. It aggregates data from EDR telemetry (Sysmon Process Create, Windows Security event 4688, and CrowdStrike ProcessRollup2) to identify anomalous tunnel setup activity. The detection is implemented by mapping to the Endpoint Processes data model and relies on Splunk CIM normalization. It is designed to capture unauthorized or unusual tunnel provisioning but may generate false positives in legitimate DevOps scenarios where cloudflared is used for secure remote access. MITRE technique mapped to T1572 (Protocol Tunneling) to contextualize the behavior. Clean implementation requires ingesting full command lines, process GUIDs, and parent process relationships from supported EDR sources and normalizing fields via CIM.