Rule : Suspicious Git Force Push Activity
Git Force Push
Query
DeviceProcessEvents
| where ProcessCommandLine has "git push"
| where ProcessCommandLine has_any (" -f", "--force", "-uf", "--force-with-lease")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descAbout this query
Explanation
This query is designed to detect potentially suspicious activity related to Git force-push commands, which might indicate that someone is rewriting commit history in a way that could be malicious. It specifically looks for instances where certain force-push commands are used, such as git push -f or git push --force.
The query searches through a table called DeviceProcessEvents to find any command lines that include a Git push command with force options. It then extracts and displays relevant details like the timestamp, device name, account name, and the full command line used, among other information. The results are sorted by the most recent activity.
To reduce false positives, the query suggests excluding certain scenarios like repository migrations or controlled workflows. It also advises focusing on more critical repositories first.
For investigating any alerts generated by this query, it recommends checking which repository and branch were affected, whether the force push was preceded by a commit amendment, and if any repository protections failed. It also suggests looking for other suspicious activities or files that might have been added around the same time and determining if the push came from an unfamiliar or new developer device.
Overall, this query helps identify potentially risky Git operations that could compromise the integrity of a codebase, especially in sensitive or production environments.
Details

Ali Hussein
Released: April 1, 2026
Tables
Keywords
Operators