Goal

Detect HTTP requests targeting cloud instance metadata addresses or hostnames in parameters or headers, including successful responses.

Strategy

This rule monitors OCSF HTTP query strings and headers for link-local metadata IPs and provider-specific metadata hostnames, grouped by @ocsf.src_endpoint.ip.

Triage and response

• Determine whether the application should ever reach metadata endpoints from user-controlled input.
• If successful SSRF is likely, assess the risk of credential or token exposure from metadata responses.