The rule "Unusual Linux Process Calling the Metadata Service" aims to detect anomalous access to the metadata service by unusual processes on Linux systems. The metadata service is a critical component in cloud environments, providing instance-specific data that often includes sensitive credentials and configuration scripts. Unauthorized access to this service can lead to credential theft or exposure of sensitive information. This detection utilizes machine learning to monitor and identify atypical access patterns. Machine learning job 'v3_linux_rare_metadata_process' is implemented to help identify when a process typically not associated with metadata service access exhibits anomalous behavior. As part of the setup, Elastic Defend or Auditd Manager integrations are required, which facilitate data collection and monitoring. Users should be cautious of false positives, often generated by legitimate but rare process activities, and establish processes to triage alerts effectively. The investigation recommendations include reviewing associated process details and assessing legitimate access, particularly in cloud deployments. Response actions include isolating affected instances and revoking access to limit potential damage from credential theft.