LoFP / legitimate use of cloudflare tunnels will also trigger this.

Techniques

• t1071
• t1071.001

Sample rules

Cloudflared Tunnels Related DNS Requests

• source: sigma
• technicques:
  • t1071
  • t1071.001

Description

Detects DNS query requests to Cloudflared tunnels domains.

Detection logic

condition: selection
selection:
  QueryName|endswith:
  - .v2.argotunnel.com
  - protocol-v2.argotunnel.com
  - trycloudflare.com
  - update.argotunnel.com