This detection rule monitors DNS queries to identify potentially suspicious requests made from non-browser processes targeting various IP lookup services. Specifically, it focuses on traffic directed towards known APIs such as 'api.ipify.org', which can be indicative of reconnaissance behavior executed by malware or other unauthorized applications on Windows systems. The rule employs a detailed selection and filtering mechanism to ensure that only queries from unexpected sources (i.e., non-browser applications) trigger alerts. False positives are acknowledged for legitimate usage of such services, indicating a balance between detection sensitivity and avoiding unnecessary alarms.