Detects Windows image-load events associated with Microsoft DevTunnels usage by monitoring Sysmon EventID 7 (ImageLoaded) for artifacts tied to DevTunnels. The rule flags image loads from paths such as AppData\Local\Temp\.net\devtunnel\* and any devtunnel.dll, which can indicate legitimate development activity or, if abused, a covert channel for remote access, data exfiltration, or C2 communications. It relies on endpoint telemetry from EDR agents, correlating process GUID, process name, and full command lines, and requires mapping to the Endpoint CIM Processes data model. Implementation guidance emphasizes ingesting rich process data and normalizing fields with Splunk CIM to enable effective correlation. Known false positives include legitimate DevTunnels usage during development or debugging; filtering to approved development environments and personnel is recommended. References and drilldown options are provided to review results by user/destination and to inspect risk events related to the detection.