Quick hack to get the external IP of an endpoint:

select result from curl where url = '<http://ipaddr.io>';

Nice! I took a similar concept with https://dactiv.llc/blog/locate-assets-with-osquery/.

Ah that's much better 🙂 Good to learn about JSON_EXTRACT too

Yeah json parsing in sqlite is very handy, though it can get quite verbose.

Just a heads up, if your employees run Little Snitch it will show osquery communicating with this domain

Longer term solution if you have a TLS server is to take it from the inbound connection.

I'd also think sending this across country boundaries for public services you don't own could get you into privacy issues

Also, your network security monitoring team will probably see alerts generated, as public IP checks are really common for malware (also get an alert for the

curl

user agent outbound etc)

Does osquery send a user agent for the curl table?