diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml
new file mode 100644
index 00000000000..54b62bfd967
--- /dev/null
+++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml
@@ -0,0 +1,32 @@
+title: DNS Query To Devtunnels Domain
+id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
+related:
+    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
+      type: similar
+    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
+      type: similar
+    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
+      type: similar
+status: experimental
+description: |
+    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/devtunnels-unleashed
+author: citron_ninja
+date: 2023/10/25
+modified: 2023/11/20
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName|endswith: '.devtunnels.ms'
+    condition: selection
+falsepositives:
+    - Legitimate use of Devtunnels will also trigger this.
+level: medium
diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml
index aa898fb474b..d03bca54df3 100644
--- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml
+++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml
@@ -1,15 +1,22 @@
-title: DNS Query To Devtunnels And VsCode Tunnels
+title: DNS Query To Visual Studio Code Tunnels Domain
 id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+related:
+    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
+      type: similar
+    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
+      type: similar
+    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
+      type: similar
 status: experimental
 description: |
-    Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. Attackers can be abuse these features to establish a reverse shell.
+    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
 references:
     - https://ipfyx.fr/post/visual-studio-code-tunnel/
     - https://badoption.eu/blog/2023/01/31/code_c2.html
-    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
-    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/vscode-data-exfiltration
 author: citron_ninja
 date: 2023/10/25
+modified: 2023/11/20
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -18,10 +25,8 @@ logsource:
     product: windows
 detection:
     selection:
-        QueryName|endswith:
-            - '.tunnels.api.visualstudio.com'
-            - '.devtunnels.ms'
+        QueryName|endswith: '.tunnels.api.visualstudio.com'
     condition: selection
 falsepositives:
-    - Legitimate use of Visual Studio Code tunnel will also trigger this
+    - Legitimate use of Visual Studio Code tunnel will also trigger this.
 level: medium
diff --git a/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml
new file mode 100644
index 00000000000..33680cfd9a2
--- /dev/null
+++ b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml
@@ -0,0 +1,32 @@
+title: Network Connection Initiated To DevTunnels Domain
+id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
+related:
+    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
+      type: similar
+    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
+      type: similar
+    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
+      type: similar
+status: experimental
+description: |
+    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/devtunnels-unleashed
+author: Kamran Saifullah
+date: 2023/11/20
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: '.devtunnels.ms'
+    condition: selection
+falsepositives:
+    - Legitimate use of Devtunnels will also trigger this.
+level: medium
diff --git a/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml
new file mode 100644
index 00000000000..64c07283510
--- /dev/null
+++ b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml
@@ -0,0 +1,32 @@
+title: Network Connection Initiated To Visual Studio Code Tunnels Domain
+id: 4b657234-038e-4ad5-997c-4be42340bce4
+related:
+    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
+      type: similar
+    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
+      type: similar
+    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
+      type: similar
+status: experimental
+description: |
+    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://cydefops.com/vscode-data-exfiltration
+author: Kamran Saifullah
+date: 2023/11/20
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
+    condition: selection
+falsepositives:
+    - Legitimate use of Visual Studio Code tunnel will also trigger this.
+level: medium