
Summary
Detects Linux processes invoking curl to query public IP address lookup services as part of external IP discovery. The rule triggers when a curl process starts on Linux (host.os.type == 'linux', event.type == 'start', process.name == 'curl') and the command_line references known address lookup endpoints (e.g., ip-api.com, whatismyipaddress.com, ipify.org, etc.). A broad set of parent-process filters excludes common benign contexts to reduce false positives. The rule relies on Linux process data (process, command_line, parent) from Elastic Defend and SentinelOne Cloud funnels. It maps to MITRE ATT&CK Discovery technique T1016 (System Network Configuration Discovery). The setup portion describes Elastic Defend integration prerequisites and deployment steps. Severity is low, reflecting the likelihood of benign curl-based IP lookups but with potential for adversary use in targeting.
Categories
- Endpoint
- Linux
Data Sources
- Process
ATT&CK Techniques
- T1016
Created: 2026-07-02