Cloudflared Tunnel
Query
let CorporateCloudflareAccountID = "your_cloudflare_account_id";
union DeviceProcessEvents
| where ProcessCommandLine contains "tunnel run" and ProcessCommandLine contains "--token" // OS agnostic, handles renamed executables
| extend HalfTrim = trim_start('.*--token ', ProcessCommandLine)
| extend CloudflaredToken = parse_json(base64_decode_tostring(trim_end(' .*', HalfTrim)))
| extend CloudflareAccountID = CloudflaredToken.a
| project-away HalfTrim
| where CloudflareAccountID != CorporateCloudflareAccountIDExplanation
This query is designed to identify potential unauthorized use of Cloudflare tunnels on devices within an organization. Here's a simplified breakdown of what it does:
-
Define a Variable: It sets a variable
CorporateCloudflareAccountIDto represent the organization's official Cloudflare account ID. -
Search for Processes: It searches through
DeviceProcessEventsto find any process command lines that include the phrases "tunnel run" and "--token". This indicates that a Cloudflare tunnel is being run, and a token is being used. -
Extract Token Information:
- It trims the command line to isolate the part that contains the token.
- It decodes this token from base64 and parses it as JSON to extract detailed information.
-
Identify Account ID: From the parsed token information, it extracts the
CloudflareAccountID. -
Filter Results: It filters out any processes where the
CloudflareAccountIDmatches the organization's official account ID (CorporateCloudflareAccountID), leaving only those that do not match.
In summary, this query helps to detect any Cloudflare tunnel activities on devices that are not using the organization's official Cloudflare account, which could indicate unauthorized or suspicious activity.
Details

C.J. May
Released: June 20, 2025
Tables
Keywords
Operators