LoFP / some legitimate use cases include authorized devops or it teams using cloudflared for secure remote access and network management. filter alerts based on approved usage and trusted users.

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process="*tunnel*"
(
    (
        Processes.process="*run*"
        Processes.process="*token*"
    )
    OR
    (
        Processes.process="*--url*"
        Processes.process="*localhost*"
    )
)

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name Processes.parent_process
   Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id Processes.user Processes.process_name


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_potential_cloudflared_tunnel_execution_filter`