diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
index 5bf984b68..b595973e6 100644
--- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
+++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/04"
 maturity = "production"
-updated_date = "2021/04/08"
+updated_date = "2021/04/23"
 
 [rule]
 author = ["Elastic"]
@@ -54,7 +54,10 @@ network where network.protocol == "dns" and
         "*myipaddress.com",
         "*showipaddress.com",
         "*whatismyipaddress.com",
-        "*wtfismyip.com"
+        "*wtfismyip.com",
+        "*ipapi.co",
+        "*ip-lookup.net",
+        "*ipstack.com"
     ) and
     /* Insert noisy false positives here */
     not process.executable :