This detection rule identifies potentially malicious activity where macOS processes execute curl or nscurl commands to access various public IP address lookup services. Attackers typically leverage such commands during reconnaissance phases to ascertain the external IP address of compromised systems, which aids in subsequent targeting and exploitation strategies. The primary goal of this rule is to capture the execution of curl requests that may signal an attacker's attempt to learn a victim's network context, especially when initiated from uncommon parent processes or untrusted sources. The rule triggers on process activities where the operating system type is macOS, specifically if the event type is 'start', and action is 'exec'. It involves checking the process's parent executable against known paths associated with legitimate applications, scripted contexts, or those lacking trusted code signatures. The detection covers a number of common external IP lookup services by scanning for specific command-line patterns indicative of reconnaissance attempts. Key investigation steps involve validating the command initiator, analyzing outbound network telemetry associated with those requests, and assessing any follow-up suspicious behaviors such as unexpected outbound connections or the setup of persistence mechanisms. Given the potential for legitimate use cases—such as network troubleshooting by system admins—this detection also incorporates guidance for analyzing false positives effectively. Recommended immediate responses include isolating affected devices, removing suspicious artifacts, and performing comprehensive network scans to validate the security posture post-incident, alongside rapid remediation and further forensic analysis as necessary.