This hunting rule flags Windows endpoint network connections that appear to be initiated by the Cloudflared tunneling tool (Cloudflare Tunnel). Cloudflared creates outbound connections from the host to Cloudflare edge servers to expose internal services or private networks, similar to ngrok. The detection focuses on Windows Sysmon-based telemetry (Process creation) correlated with outbound network activity to the Cloudflare tunnel port (default 7844). The Splunk search ties process-level details (process GUID, name, parent process, and full command line) to network connections observed in the Network_Traffic data model, and is intended to identify potential covert tunnels. Given legitimate tunneling use cases, the rule advises whitelisting approved Cloudflare deployments to reduce false positives. The technique aligns with MITRE ATT&CK T1572 (Protocol Tunneling).