Rule Tuning Analysis
Rule ID: ecc0cd54-608e-11ef-ab6d-f661ea17fbce
Rule Name: Unusual Instance Metadata Service (IMDS) API Request
Rule Type: eql
Classification
| Metric |
Value |
| Category |
NOISY_NON_PERFORMANT |
| Priority |
HIGH |
| Tuning Score |
61.56 |
| Version Status |
✅ Established (10 release cycles) |
Performance Metrics
| Metric |
Value |
| Avg Duration |
218.8s |
| Max Duration |
300.5s |
| Slow Executions |
9 on 3 clusters |
Alert Telemetry
| Metric |
Value |
| Total Alerts (3d) |
40,867 |
| Unique Clusters |
31 |
| Cluster Coverage |
1.1% |
| Daily Average |
13622 |
| Days Active |
3 |
| Coefficient of Variation |
0.46 (MODERATE) |
Analysis Flags
- 🔴 Noisy on Latest Version: ✅ Yes
- 🔴 Widespread False Positive: ❌ No
- ⚠️ Version Regression: ❌ No
- ⚠️ Stale and Noisy: ❌ No
- ⚠️ Low Version / High Volume: ❌ No
- ℹ️ Low Activity: ❌ No
Recommendation
Action: Change the EQL sequence join key to sequence by host.id, process.entity_id and add targeted agent-path exclusions (unified-monitoring-agent + Azure waagent LinuxPatch extension) while requiring IMDS indicators for interpreter/shell processes to reduce both noise and execution time.
Rationale: This rule is generating very high alert volume primarily from legitimate cloud/management agents accessing IMDS using generic interpreters (e.g., /usr/bin/python* and embedded ruby), and it is also slow because the first (process) stage is broad (python*/ruby/bash/sh) and the sequence groups by process.parent.entity_id, which can over-correlate many child processes to the same parent. Tuning should (1) exclude clearly benign agent paths seen in the alerts (unified-monitoring-agent, Azure waagent LinuxPatch extension) and (2) tighten correlation/performance by sequencing on process.entity_id and requiring IMDS indicators for interpreter shells.
Query Modifications
Over-correlation and higher execution cost due to sequencing by parent entity rather than the actual process making the network connection. (Impact: both)
Current:
sequence by host.id, process.parent.entity_id with maxspan=3s
Modify →
sequence by host.id, process.entity_id with maxspan=3s
In the provided signals, the network event and the triggering process share the same process.entity_id (e.g., Events 1-2 and 3-4). Sequencing by process.entity_id is more accurate (ties the connection to the exact process) and typically reduces correlation fan-out, improving performance and reducing accidental matches from other children of the same parent.
Broad interpreter/shell matching (python, ruby, bash, sh) without requiring an IMDS indicator creates a very large candidate set and noisy matches from benign agents.** (Impact: both)
Current:
and (
process.name : ("curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node", "bash", "sh")
or process.executable : ("./*", "/tmp/*", "/var/tmp/*", ...)
or process.command_line : ("*169.254.169.254/latest/api/token*", ...)
)Modify →
and (
/* keep direct IMDS strings */
process.command_line : (
"*169.254.169.254/latest/api/token*",
"*169.254.169.254/latest/meta-data/iam/security-credentials*",
"*169.254.169.254/latest/user-data*",
"*computeMetadata/v1/instance/service-accounts/*/token*",
"*/metadata/identity/oauth2/token*",
"*169.254.169.254/opc/v*/instance*",
"*169.254.169.254/opc/v*/vnics*"
)
or
/* keep dropped/odd execution locations */
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
)
or
/* network tooling stays broad */
process.name : ("curl", "wget", "openssl", "nc", "ncat", "netcat", "socat", "telnet", "pwsh")
or
/* interpreters/shells require an IMDS hint */
(
process.name : ("python*", "perl*", "php*", "ruby*", "lua*", "node", "awk", "gawk", "mawk", "nawk", "bash", "sh")
and process.command_line : ("*169.254.169.254*", "*computeMetadata/v1/*", "*/metadata/identity/*")
)
)
and not process.executable : "/opt/unified-monitoring-agent/*"
and not process.command_line : "/var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-*"
Events show benign agents using generic interpreters from standard paths (e.g., /usr/bin/python3.12, /opt/.../ruby). Requiring an IMDS hint for interpreter/shell processes retains attacker activity (which almost always includes the IMDS IP/URL in the command line) while significantly reducing baseline interpreter noise. Adding the two vendor-scoped exclusions directly addresses the observed false positives.
Exception Recommendations
Add exception: process.executable wildcard "/opt/unified-monitoring-agent/*" (Confidence: HIGH)
Evidence: Event 3/4 show process.executable = /opt/unified-monitoring-agent/embedded/bin/ruby with a benign config updater script, yet it triggers due to subsequent connection to 169.254.169.254. Excluding the vendor install root is a precise, low-risk carve-out that preserves detection for attacker-launched ruby elsewhere.
Modify →
and process.executable wildcard "/opt/unified-monitoring-agent/*"
Add exception: process.command_line wildcard "/var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-*" (Confidence: HIGH)
Evidence: Event 5 shows /usr/bin/python3.12 running .../var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-1.6.62/MsftLinuxPatchCore.py ... (Azure patch extension) which commonly queries IMDS. Excluding this specific waagent extension path reduces benign patch-noise while preserving python-based IMDS theft from other locations.
Modify →
and process.command_line wildcard "/var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-*"
Add exception: process.executable wildcard "/var/lib/waagent/*" (Confidence: MEDIUM)
Evidence: Event 5 indicates waagent-managed extension execution under /var/lib/waagent/... is involved. If the LinuxPatchExtension path-only exclusion does not sufficiently reduce noise, excluding the waagent extension root is a broader (but still vendor-scoped) option. Use only if validated that alerts are dominated by waagent extensions in your environment.
Modify →
and process.executable wildcard "/var/lib/waagent/*"
Field-Level Recommendations
| Field |
Value |
Alert % |
Cluster % |
Confidence |
Type |
process.executable |
/opt/unified-monitoring-agent/... |
0.0% |
3.2% |
HIGH |
EXCEPTION |
process.command_line |
/var/lib/waagent/Microsoft.CPl... |
0.0% |
3.2% |
HIGH |
EXCEPTION |
process.executable |
/var/lib/waagent/* |
0.0% |
3.2% |
MEDIUM |
EXCEPTION |
This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2026-03-01T06:18:23.578622
Rule Tuning Analysis
Rule ID:
ecc0cd54-608e-11ef-ab6d-f661ea17fbceRule Name: Unusual Instance Metadata Service (IMDS) API Request
Rule Type: eql
Classification
Performance Metrics
Alert Telemetry
Analysis Flags
Recommendation
Action: Change the EQL sequence join key to
sequence by host.id, process.entity_idand add targeted agent-path exclusions (unified-monitoring-agent + Azure waagent LinuxPatch extension) while requiring IMDS indicators for interpreter/shell processes to reduce both noise and execution time.Rationale: This rule is generating very high alert volume primarily from legitimate cloud/management agents accessing IMDS using generic interpreters (e.g., /usr/bin/python* and embedded ruby), and it is also slow because the first (process) stage is broad (python*/ruby/bash/sh) and the sequence groups by process.parent.entity_id, which can over-correlate many child processes to the same parent. Tuning should (1) exclude clearly benign agent paths seen in the alerts (unified-monitoring-agent, Azure waagent LinuxPatch extension) and (2) tighten correlation/performance by sequencing on process.entity_id and requiring IMDS indicators for interpreter shells.
Query Modifications
Over-correlation and higher execution cost due to sequencing by parent entity rather than the actual process making the network connection. (Impact: both)
Current:
Modify →
Broad interpreter/shell matching (python, ruby, bash, sh) without requiring an IMDS indicator creates a very large candidate set and noisy matches from benign agents.** (Impact: both)
Current:
Modify →
Exception Recommendations
Add exception:
process.executablewildcard"/opt/unified-monitoring-agent/*"(Confidence: HIGH)Modify →
Add exception:
process.command_linewildcard"/var/lib/waagent/Microsoft.CPlat.Core.LinuxPatchExtension-*"(Confidence: HIGH)Modify →
Add exception:
process.executablewildcard"/var/lib/waagent/*"(Confidence: MEDIUM)Modify →
Field-Level Recommendations
process.executable/opt/unified-monitoring-agent/...process.command_line/var/lib/waagent/Microsoft.CPl...process.executable/var/lib/waagent/*This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2026-03-01T06:18:23.578622