Home/Detection rules

Deployable detection rules

2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
All sources Splunk ESCU · 2,088 Elastic · 1,678 Microsoft Sentinel · 633
technique T1572 ×

Detections

2 shown of 2
Splunk ESCU SPL T1572 ↗
Windows Potential Cloudflared Network Connection
This analytic detects network connection events possibly associated with the Cloudflared tool, a tool used to create tunnels via Cloudflare. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. It reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel's controller makes services or private networks accessible.
Show query 
| tstats `security_content_summariesonly`
   count min(_time) as firstTime
         max(_time) as lastTime
         values(All_Traffic.src_port) as src_port

from datamodel=Network_Traffic.All_Traffic where

All_Traffic.dest_port=7844

BY All_Traffic.action All_Traffic.app All_Traffic.dest
   All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction
   All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
   All_Traffic.src All_Traffic.src_ip All_Traffic.transport
   All_Traffic.user All_Traffic.vendor_product

| `drop_dm_object_name(All_Traffic)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_potential_cloudflared_network_connection_filter`
Splunk ESCU SPL T1572 ↗
Windows Potential Cloudflared Tunnel Execution
This analytic detects command-line arguments associated with the cloudflared client used to create Cloudflare tunnels. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. Cloudflared reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel's controller makes services or private networks accessible.
Show query 
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process="*tunnel*"
(
    (
        Processes.process="*run*"
        Processes.process="*token*"
    )
    OR
    (
        Processes.process="*--url*"
        Processes.process="*localhost*"
    )
)

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name Processes.parent_process
   Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id Processes.user Processes.process_name

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_potential_cloudflared_tunnel_execution_filter`
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh