This analytic rule detects the use of PowerShell's `Invoke-RestMethod` cmdlet when it is employed to collect external IP address information or geolocation data from services like `ipinfo.io` or `api.ipify.org`. The detection leverages PowerShell Script Block Logging (Event ID 4104) to identify script blocks that contain specific API calls indicative of reconnaissance behavior. This activity can be significant as it may indicate that threat actors are attempting to gather information about a compromised system's geographical location or network details. Although certain legitimate applications may utilize these services for valid purposes, this behavior is frequently associated with malicious software and post-exploitation frameworks, particularly those commonly used by actors such as the Water Gamayun group. Implementation of this rule requires proper setup of logging and consideration for potential false positives stemming from authorized administrative tools that could also invoke these APIs.