[Rule Tuning] External IP Lookup from Non-Browser Process (#1147)

* Added a couple domains

ipapi.co
ip-lookup.net
ipstack.com

(cherry picked from commit 920d973064)

rules/windows/discovery_post_exploitation_external_ip_lookup.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/04"
 maturity = "production"
-updated_date = "2021/04/08"
+updated_date = "2021/04/23"
 
 [rule]
 author = ["Elastic"]
@@ -54,7 +54,10 @@ network where network.protocol == "dns" and
         "*myipaddress.com",
         "*showipaddress.com",
         "*whatismyipaddress.com",
-        "*wtfismyip.com"
+        "*wtfismyip.com",
+        "*ipapi.co",
+        "*ip-lookup.net",
+        "*ipstack.com"
     ) and
     /* Insert noisy false positives here */
     not process.executable :