https://github.com/osquery/osquery logo
Title
w

wtheaker

01/28/2021, 8:11 PM
Quick hack to get the external IP of an endpoint:
select result from curl where url = '<http://ipaddr.io>';
z

zwass

01/28/2021, 8:18 PM
Nice! I took a similar concept with https://dactiv.llc/blog/locate-assets-with-osquery/.
w

wtheaker

01/28/2021, 8:20 PM
Ah that's much better 🙂 Good to learn about JSON_EXTRACT too
z

zwass

01/28/2021, 8:23 PM
Yeah json parsing in sqlite is very handy, though it can get quite verbose.
t

terracatta

01/28/2021, 8:29 PM
Just a heads up, if your employees run Little Snitch it will show osquery communicating with this domain
and might raise questions
😅 1
g

Gavin

01/28/2021, 8:34 PM
Longer term solution if you have a TLS server is to take it from the inbound connection.
a

allister

01/29/2021, 4:06 AM
I'd also think sending this across country boundaries for public services you don't own could get you into privacy issues
your Acceptable Use Policy may or may not cover you for that case, even as an employer
d

defensivedepth

01/29/2021, 1:25 PM
Also, your network security monitoring team will probably see alerts generated, as public IP checks are really common for malware (also get an alert for the
curl
user agent outbound etc)
w

wtheaker

01/29/2021, 5:38 PM
Does osquery send a user agent for the curl table?