From c6987f2484c14fc0b957979ec936ab1caa70607c Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 21 Jul 2021 00:47:39 -0500
Subject: [PATCH] [Rule Tuning] External IP Lookup from Non-Browser Process
 (#1147)

* Added a couple domains

ipapi.co
ip-lookup.net
ipstack.com

(cherry picked from commit 920d9730643a9c936b25c60e2f2b432536fa3a76)
---
 .../discovery_post_exploitation_external_ip_lookup.toml    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
index 5bf984b68..b595973e6 100644
--- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
+++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/04"
 maturity = "production"
-updated_date = "2021/04/08"
+updated_date = "2021/04/23"
 
 [rule]
 author = ["Elastic"]
@@ -54,7 +54,10 @@ network where network.protocol == "dns" and
         "*myipaddress.com",
         "*showipaddress.com",
         "*whatismyipaddress.com",
-        "*wtfismyip.com"
+        "*wtfismyip.com",
+        "*ipapi.co",
+        "*ip-lookup.net",
+        "*ipstack.com"
     ) and
     /* Insert noisy false positives here */
     not process.executable :