Detects attempts by command interpreters, scripting engines, or other processes on Windows, Linux, or macOS to query the cloud provider's instance metadata service (IMDS) at 169.254.169.254. The rule matches outbound network requests to the IMDS endpoint (169.254.169.254, port 80) initiated by common shells, runtimes, or utilities (e.g., bash, sh, curl, PowerShell, node, python, java, etc.), while excluding known legitimate startup or editor-related processes. It correlates with MITRE ATT&CK techniques: T1552.005 Cloud Instance Metadata API (Credential Access) and discovery techniques T1016 (System Network Configuration Discovery), T1082 (System Information Discovery), and T1580 (Cloud Infrastructure Discovery). The rule uses a new_terms field capturing host.id and process.executable with a history window of 7 days to aid triage and historical context. This enables rapid containment, credential rotation, and further investigation when IMDS is queried to harvest instance credentials or metadata. It is intended for endpoint visibility and threat hunting to detect potential post-exploitation activity aiming to leverage IMDS-visible credentials or tokens.