PR for IMDS Sigma Rule, Issue #514

[jtega149]

Summary

Adds a Sigma detection rule for outbound connections to the cloud Instance Metadata Service (169.254.169.254) from processes that are not known legitimate metadata clients (MITRE T1552.005, medium severity).

Changes:

• New rule: rules/sigma/network/lnx_imds_access_from_non_metadata_client.yml
  • Matches network.outbound_connect events to 169.254.169.254
  • Allowlists: cloud-init, ec2-metadata-collector, instance-controller, gcp-metadata-server, azure-metadata-monitor
• Engine: sigma_rule.rs now honors Sigma filter blocks (selection and not filter) so allowlisted clients do not false-positive
• Tests: three unit tests (positive match, allowlist negative, wrong-IP negative)
  Complements the existing imds_ssrf Rust detector; this exposes the same signal in the Sigma rule set.

Type

• Bug fix
• New feature / capability
• New module (fill in the Module section below)
• Refactor / cleanup
• Docs / config only

Validation

• make check
• make test
• make scenario-qa — if this PR touches anything that could change incident / telegram / block volumes

Risk

• No config or schema changes
• Includes config or schema changes
• Includes responder or privileged behavior changes
• Includes dashboard or investigation UX changes

Spec 024 regression gate

If this PR changes a gate threshold, cooldown, responder behaviour, notification policy, or any code on the incident → decision → notification → block path, it can silently drift the volumes asserted in testdata/scenarios/. Before merging:

• I ran make scenario-qa locally; all 7 scenarios still pass (or I updated the matching expected.json envelope and explained why in the PR body)
• OR this PR is docs / tests / CI only and cannot affect scenario volumes (tick this and skip the one above)

Documentation

• No documentation updates needed
• Updated public docs
• Updated maintainer docs

---

Module submission (fill in only for new modules)

Module ID: my-module
Tier: open / premium

Checklist

• modules/<id>/module.toml - valid TOML, all required fields present, kebab-case ID
• modules/<id>/docs/README.md - has ## Overview, ## Configuration, ## Security sections
• modules/<id>/tests/ - at least one .rs test file (or builtin = true with tests in crates/)
• [[rules]] entries have auto_execute = false (default safe posture)
• Skills use separate .arg() calls - no .arg(format!(...)) interpolation
• Skills check dry_run before executing any privileged command
• [security].allowed_commands lists every binary the module invokes
• innerwarden module validate --strict modules/<id> passes locally

Closes #514