This detection rule identifies potentially malicious processes that attempt to access the Instance Metadata Service (IMDS) API endpoint, which could expose sensitive information such as instance IDs, public IP addresses, and temporary security credentials. It specifically monitors for common network utility tools and scripts like curl, wget, python, and perl used in unexpected ways to interact with the IMDS API. The rule is structured in a sequence to capture suspicious process initiation followed by network connection attempts to the targeted IMDS IP address (169.254.169.254). It aims to filter out known legitimate processes and paths to minimize false positives while maintaining a focus on threat detection, particularly under the MITRE ATT&CK frameworks focusing on credential access and discovery. The rule's effectiveness depends on a thorough analysis of process details and network events, guiding users on investigative steps and remediation actions if threats are detected. The severity is set to medium, with a corresponding risk score of 47, indicating a notable level of concern without immediate danger.