The rule detects when the Azure Instance Metadata Service (IMDS) is queried through specific URI requests made to http://169.254.169.254/metadata/instance. This service provides information about running virtual machines within Azure, such as SKU, network configurations, and potential maintenance updates. Although this information is essential for legitimate management tasks, it can also be exploited by attackers seeking insight into the environment to facilitate lateral movement within the infrastructure. The detection logic specifically looks for HTTP requests to the IMDS that include the header 'Metadata: true' and have a successful response status code in the 200 range, signifying a successful connection. It is crucial for organizations utilizing Azure services to validate and allowlist known legitimate services accessing this metadata to mitigate risks of unauthorized access.