KQL Search

Query Details

HomeAI ToolsDevice Query

Git Force Push

Query

# Rule : Suspicious Git Force Push Activity

## Description
Detects force-push behavior that may indicate rewritten commit history being pushed upstream. This becomes especially suspicious when paired with commit amendment, verification bypass, or stealthy workspace/task modifications.

## Detection Logic
This detection looks for:
- `git push -f`
- `git push --force`
- `git push -uf`
- `git push --force-with-lease`

## Relevant Tables
- `DeviceProcessEvents`

## Search Query
```kql
DeviceProcessEvents
| where ProcessCommandLine has "git push"
| where ProcessCommandLine has_any (" -f", "--force", "-uf", "--force-with-lease")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## False Positive Tuning
- Exclude dedicated repository migration projects and mirrored repositories.
- Exclude controlled release-engineering workflows after validation.
- Scope to production, public, or sensitive repositories first for highest signal.

## Triage Steps
1. Determine which repository and branch were targeted.
2. Verify whether this force push followed a `git commit --amend` or other history rewrite.
3. Review whether repository protections should have prevented this action.
4. Check for adjacent suspicious files, hidden tasks, or obfuscated payloads added in the same timeframe.
5. Identify whether the push originated from an unmanaged or newly onboarded developer device.

## Investigation Notes
- Stronger signal when combined with `--no-verify`.
- High value for scoping supply chain compromise across developer endpoints.

Explanation

This query is designed to detect potentially suspicious activity related to Git force-push commands, which might indicate that someone is rewriting commit history in a way that could be malicious. It specifically looks for instances where certain force-push commands are used, such as git push -f or git push --force.

The query searches through a table called DeviceProcessEvents to find any command lines that include a Git push command with force options. It then extracts and displays relevant details like the timestamp, device name, account name, and the full command line used, among other information. The results are sorted by the most recent activity.

To reduce false positives, the query suggests excluding certain scenarios like repository migrations or controlled workflows. It also advises focusing on more critical repositories first.

For investigating any alerts generated by this query, it recommends checking which repository and branch were affected, whether the force push was preceded by a commit amendment, and if any repository protections failed. It also suggests looking for other suspicious activities or files that might have been added around the same time and determining if the push came from an unfamiliar or new developer device.

Overall, this query helps identify potentially risky Git operations that could compromise the integrity of a codebase, especially in sensitive or production environments.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

hashas_anyprojectorder by

Actions