This detection rule identifies anomalous access to cloud platform metadata services by unusual Linux users, which may indicate attempts to gather sensitive credentials or user data. It utilizes machine learning techniques and has an anomaly threshold set at 75 to flag such activities. False positives can arise from new software installations or legitimate debugging processes, necessitating close monitoring of unusual user contexts. The rule operates in 15-minute intervals based on data from the last 45 minutes and emphasizes the importance of associated integrations like Auditd Manager and Elastic Defend for accurate anomaly detection. Incident response involves reviewing user activity, validating legitimate access reasons, and isolating any unauthorized accounts. The rule is part of the broader credential access mitigation strategy, categorized under the MITRE ATT&CK framework, specifically targeting unsecured credentials, including unauthorized queries made through the Cloud Instance Metadata API.