The Cisco NVM Suspicious Network Connection to IP Lookup Service API rule is designed to detect anomalous network activity where non-browser processes attempt to contact public IP lookup or geolocation services. These services, used legitimately for obtaining IP information, can also signal potentially malicious intent when accessed by non-browser applications, indicating network reconnaissance or pre-exploitation preparations by malware. Utilising telemetry from the Cisco Network Visibility Module (NVM), the rule filters out traffic from known browser processes, focusing on other applications that might exhibit suspicious behaviors. The detection is pertinent in various attack vectors involving malware and advanced threat actors, and the rule employs a query targeting a range of specific domain names often associated with such services.