heroui logo

Linux External IP Address Discovery via Curl

Elastic Detection Rules

View Source
Summary
Detects Linux processes invoking curl to query public IP address lookup services as part of external IP discovery. The rule triggers when a curl process starts on Linux (host.os.type == 'linux', event.type == 'start', process.name == 'curl') and the command_line references known address lookup endpoints (e.g., ip-api.com, whatismyipaddress.com, ipify.org, etc.). A broad set of parent-process filters excludes common benign contexts to reduce false positives. The rule relies on Linux process data (process, command_line, parent) from Elastic Defend and SentinelOne Cloud funnels. It maps to MITRE ATT&CK Discovery technique T1016 (System Network Configuration Discovery). The setup portion describes Elastic Defend integration prerequisites and deployment steps. Severity is low, reflecting the likelihood of benign curl-based IP lookups but with potential for adversary use in targeting.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
ATT&CK Techniques
  • T1016
Created: 2026-07-02