Quick hack to get the external IP of an endpoint:

select result from curl where url = '<http://ipaddr.io>';

Nice! I took a similar concept with https://dactiv.llc/blog/locate-assets-with-osquery/.

Ah that's much better 🙂 Good to learn about JSON_EXTRACT too

Yeah json parsing in sqlite is very handy, though it can get quite verbose.

Just a heads up, if your employees run Little Snitch it will show osquery communicating with this domain

Longer term solution if you have a TLS server is to take it from the inbound connection.

I'd also think sending this across country boundaries for public services you don't own could get you into privacy issues

Also, your network security monitoring team will probably see alerts generated, as public IP checks are really common for malware (also get an alert for the

curl

user agent outbound etc)

Does osquery send a user agent for the curl table?

Hi everyone. how are you? Reviewing this documentation https://fleetdm.com/guides/locate-assets-with-osquery and playing around a bit I have not been able to get the results as shown in the post. The result of the query is that the json is badly formatted, but I have no way to format it, anyone who has tried this method or another and that returns the geolocation of a device?