This detection rule identifies the execution of the 'cloudflared' tool with the 'cleanup' flag for managing tunnel connections. It focuses on monitoring the command line arguments associated with the execution of the tool to detect potential malicious activities using this application. The rule looks specifically for command lines that contain both 'tunnel' and 'cleanup', along with arguments like '-config' and '-connector-id'. This is significant because while 'cloudflared' can be used legitimately for connection management, it can also be exploited for command-and-control (C2) purposes by attackers who might try to manipulate cloud tunnel connections to facilitate unauthorized access or exfiltration of data.