The detection rule "Unusual Windows User Calling the Metadata Service" is designed to identify anomalous access patterns to the cloud platform's metadata service, particularly when such access is conducted by uncommon or unusual user accounts. This metadata service is a common target for attackers seeking to harvest sensitive credentials or user data, as it provides configuration and credential information to cloud instances. The rule leverages machine learning to monitor access behavior over a defined timeframe (the last 45 minutes) and triggers alerts when access frequency exceeds a defined anomaly threshold of 75. The usage of this rule is imperative for detecting potential credential harvesting attacks, especially on Windows endpoints. False positives may occur due to legitimate use cases, such as newly installed programs or manual troubleshooting tasks, which need to be accounted for in the overall analysis. The setup for effective use of the detection rule involves integrating with the Elastic Stack, including the necessary machine learning jobs for anomaly detection, and ensuring correct configuration of the Elastic Defend and Windows integrations for monitoring. Investigation steps following an alert include reviewing access details, user behaviors, and correlating timestamps to legitimate activities while assessing potential threat patterns and user verification for unusual access attempts. Remedial actions involve isolating affected systems and strengthening access controls.