Title
#general
w

wtheaker

01/28/2021, 8:11 PM
Quick hack to get the external IP of an endpoint:
select result from curl where url = '<http://ipaddr.io>';
zwass

zwass

01/28/2021, 8:18 PM
Nice! I took a similar concept with https://dactiv.llc/blog/locate-assets-with-osquery/.
w

wtheaker

01/28/2021, 8:20 PM
Ah that's much better 🙂 Good to learn about JSON_EXTRACT too
zwass

zwass

01/28/2021, 8:23 PM
Yeah json parsing in sqlite is very handy, though it can get quite verbose.
terracatta

terracatta

01/28/2021, 8:29 PM
Just a heads up, if your employees run Little Snitch it will show osquery communicating with this domain
8:30 PM
and might raise questions
Gavin

Gavin

01/28/2021, 8:34 PM
Longer term solution if you have a TLS server is to take it from the inbound connection.
a

allister

01/29/2021, 4:06 AM
I'd also think sending this across country boundaries for public services you don't own could get you into privacy issues
4:11 AM
your Acceptable Use Policy may or may not cover you for that case, even as an employer
defensivedepth

defensivedepth

01/29/2021, 1:25 PM
Also, your network security monitoring team will probably see alerts generated, as public IP checks are really common for malware (also get an alert for the
curl
user agent outbound etc)
w

wtheaker

01/29/2021, 5:38 PM
Does osquery send a user agent for the curl table?