This detection rule identifies DNS queries made by Windows systems to known public IP address lookup services, such as api.ipify.org and ip-api.com. Malware often uses these services to determine public-facing IP addresses, aiding in reconnaissance or command and control operations. The rule leverages EQL (Event Query Language) to analyze network traffic, looking for unusual processes that perform these queries, particularly those marked as untrusted or associated with suspicious activities. A high-severity flag indicates the potential risk associated with these actions, necessitating thorough investigation and remediation strategies.