Detects outbound HTTP GET requests to the link-local instance metadata service at 169.254.169.254 to read IAM credentials or cloud OAuth tokens from AWS, GCP, or Azure. The rule targets common metadata paths such as AWS /latest/meta-data/iam/security-credentials/*, GCP oauth2/access_token, and Azure metadata/identity/oauth2/token, indicating attempts to obtain instance role credentials or managed identities. It requires the Network Packet Capture integration with HTTP decoding on ports 80 and 443 and process enrichment so process.* fields are present to link network activity to the initiating process. The EQL rules match destination IP, port, and URL path, then constrain matches to a set of known scripting runtimes, executables, or temporary file locations to reduce false positives. False positives can occur from cloud agents or health checks; baselining and allowlisting by user agent or host can mitigate these. The detection maps to MITRE ATT&CK technique T1552.005 (Cloud Instance Metadata API) under Credential Access. The rule includes triage guidance, and setup instructions emphasize deploying the Network Packet Capture integration, enabling Capture HTTP Traffic on ports 80/443, and enabling Monitor Processes for process context. The rule is labeled with a medium severity and a risk score around 47.