✄𐘗
text code block:
✄𐘗event.category:"network" and host.os.type:("windows" or "macos" or "linux") and
 (destination.ip:"169.254.169.254" or destination.address :"169.254.169.254") and destination.port:"80" and (
  process.name:(
    "bash" or "dash" or "sh" or "tcsh" or "tclsh" or "wish" or "csh" or "zsh" or "ksh" or "fish" or
    "mksh" or "busybox" or "ld.so" or "ld-linux-x86-64.so.2" or "bun" or "bun.exe" or "node" or "node.exe" or
    "nodejs" or "deno" or "deno.exe" or "java" or "java.exe" or "env" or "timeout" or "setsid" or "flock" or
    "curl" or "curl.exe" or "wget" or "wget.exe" or "powershell.exe" or "cmd.exe" or "pwsh.exe" or
    "wscript.exe" or  "cscript.exe" or "regsvr32.exe" or "mshta.exe" or "rundll32.exe" or "vbc.exe" or
    "msbuild.exe" or "wmic.exe" or "cmstp.exe" or "RegAsm.exe" or "installutil.exe" or "RegSvcs.exe" or
    "msxsl.exe" or "xwizard.exe" or "csc.exe" or "pwsh" or python* or perl* or ruby* or lua* or php* or
    "terminal" or "osascript" or "nohup" or .* or "javaw" or "javaw.exe"
  ) or
  process.executable:(
    ./* or /boot/* or /dev/shm/* or /run/* or /var/run/* or /tmp/* or /var/tmp/* or /var/www/* or
    /home/*/* or /root/* or /private/var/tmp/* or /var/folders/* or /Users/Shared/* or /var/root/*
  )
) and
not (
  (
    host.os.type:"macos" and
    process.name:"node"
  ) or
  (
    process.name:"Cursor Helper (Plugin)" and
    process.code_signature.trusted:true and
    process.code_signature.signing_id:"com.github.Electron.helper"
  ) or
  (
    process.name:"Code Helper (Plugin)" and
    process.code_signature.trusted:true and
    process.code_signature.signing_id:("com.microsoft.VSCode.helper" or "com.github.Electron.helper")
  ) or
  process.executable:/vscode/vscode-server/bin/linux-x64/*/node
)