# ip\_lookup\_attempt

**Explanation**

The ip\_lookup\_attempt NDM is designed to detect when a customer network machine attempts to look itself up. This could be an indication of malicious activity on the network.

**What to Look For**

To examine the results of the ip*lookup\_attempt NDM Event, this is often surrounded by other traffic such as C2 payload downloads, lateral spreading, or attempts to offload data. This is \_not* normal traffic to the network, and it should be investigated heavily, and treated as highly suspicious.

**Related MITRE ATT\&CK Categories**

[Reconnaissance: Gather Victim Network Information, Technique T1590 - Enterprise](https://attack.mitre.org/techniques/T1590)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/ip_lookup_attempt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.