The detection rule titled "Azure Instance Metadata Service Queried - *nix" is focused on identifying potentially malicious queries to the Azure Instance Metadata Service (IMDS) from Linux-based virtual machines. IMDS allows instances to access metadata about themselves, such as configuration details, network settings, and maintenance events. This service can be exploited by attackers to gather information that could aid in lateral movement within a cloud environment. The rule works by monitoring for HTTP GET requests made to the IMDS endpoint (http://169.254.169.254/metadata/instance) with the specific header 'Metadata:true'. Such requests can indicate that an attacker is trying to extract sensitive information from the virtual machine. The rule utilizes Splunk search logic that filters relevant queries, bins the data into one-second intervals, and compiles statistics on the findings, including timestamps, host details, and user processes involved.