Query Details

Rule : Suspicious Git Force Push Activity

Git Force Push

Query

DeviceProcessEvents
| where ProcessCommandLine has "git push"
| where ProcessCommandLine has_any (" -f", "--force", "-uf", "--force-with-lease")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

About this query

Explanation

This query is designed to detect potentially suspicious activity related to Git force-push commands, which might indicate that someone is rewriting commit history in a way that could be malicious. It specifically looks for instances where certain force-push commands are used, such as git push -f or git push --force.

The query searches through a table called DeviceProcessEvents to find any command lines that include a Git push command with force options. It then extracts and displays relevant details like the timestamp, device name, account name, and the full command line used, among other information. The results are sorted by the most recent activity.

To reduce false positives, the query suggests excluding certain scenarios like repository migrations or controlled workflows. It also advises focusing on more critical repositories first.

For investigating any alerts generated by this query, it recommends checking which repository and branch were affected, whether the force push was preceded by a commit amendment, and if any repository protections failed. It also suggests looking for other suspicious activities or files that might have been added around the same time and determining if the push came from an unfamiliar or new developer device.

Overall, this query helps identify potentially risky Git operations that could compromise the integrity of a codebase, especially in sensitive or production environments.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

hashas_anyprojectorder by

Actions

GitHub