This rule detects anomalous access to the cloud metadata service (IP address 169.254.169.254) from workloads (e.g., pods) that typically do not connect to this service. Such access is often associated with SSRF (Server Side Request Forgery) attacks or lateral movement within environments like AWS, GCP, and Azure, where sensitive information such as credentials can be compromised. The rule utilizes Cisco Isovalent Process Connect telemetry to monitor and analyze access patterns, capturing metrics like source IPs, destination ports, and timestamps of access attempts. To implement, it is critical to deploy Cisco Isovalent Runtime Security for proper telemetry collection and to manage known benign sources through a macro that excludes these from triggering alerts to reduce false positives. Users are urged to validate unexpected access by considering the namespace and labels of the requesting pods.