# Pipeline Runs

This page provides detailed runtime insights for your Azure CI pipelines, helping you monitor pipeline activity and detect anomalies in real time.

You can view the total number of pipeline runs observed for each project.

* Navigate to **Pipeline Runs** in the sidebar.
* Each project displays the total number of runs.

<figure><img src="/files/fEJnw7Z80Ux1wAcv4inj" alt=""><figcaption></figcaption></figure>

* Click **Pipeline Runs** next to a project to see detailed job history.

<figure><img src="/files/8COSn53zgTpFjktLEuGh" alt=""><figcaption></figcaption></figure>

* Select a pipeline run insight to view its summary page. The page includes outbound destinations, detected events, and the associated workflow file

<figure><img src="/files/OzvOi0TiLYJkIRSsifxD" alt=""><figcaption></figcaption></figure>

### Features Available in Harden-Runner <a href="#features-available-in-harden-runner" id="features-available-in-harden-runner"></a>

* View outbound network traffic at the project level
* Detect anomalous outbound network traffic
* Filter outbound network traffic to allowed endpoints
* Detect tampering of source code during build
* View baseline status at project level
* View process names and arguments
* Get live pipeline security recommendations

#### View outbound network traffic at the job level <a href="#view-outbound-network-traffic-at-the-job-level" id="view-outbound-network-traffic-at-the-job-level"></a>

Harden-Runner monitors all outbound traffic from each project at the DNS and network layers

To access this feature switch to the `Network Events` tab on your Project Insights page

* On this page you can see:
  * The process
  * PID
  * Destination
  * Port
  * Status
  * Timestamp

<figure><img src="/files/FlWqWrj42CtpWUkKxq44" alt=""><figcaption></figcaption></figure>

* You can click the PID to view the process arguments. You can walk up the process tree to analyze parent-child relationships, helping you detect suspicious activity and understand how processes interact.

#### Detect anomalous outbound network traffic

Harden-Runner applies machine learning to historical workflow data to detect anomalies.

* Baseline requires 100 pipeline runs to be created.
* After the baseline is set, any outbound traffic to unknown destinations will be flagged.
* Alerts are displayed on both the **Insights** and **Detections** pages.&#x20;
* You can view a comprehensive list of all anomalous outbound network traffic and outbound calls blocked specifically on the `Detections` page within the dashboard

<figure><img src="/files/PxrWgUaj5vY1o1hb3k8R" alt=""><figcaption></figcaption></figure>

For more details, refer to [Anomalous Outbound Call Detection Using Machine Learning](https://www.stepsecurity.io/blog/announcing-anomalous-outbound-call-detection-using-machine-learning)

#### **Filter outbound network traffic to allowed endpoints**

You can see recommended egress block policy in the `Recommendations` tab for each job. This is based on observed traffic across multiple runs of the job.

<figure><img src="/files/WAQRiVcAIeihuesGgPEM" alt=""><figcaption></figcaption></figure>

Once you specify an allowlist in your workflow file. Any endpoint not on the list will be blocked.

<figure><img src="/files/cYW1uLWAoamWDY3Wv3QT" alt=""><figcaption></figcaption></figure>

When this pipeline is run `www.google.com` will be blocked because it is not part of the allowlist

<figure><img src="/files/gcJzepLSxnST80140duA" alt=""><figcaption></figcaption></figure>

#### Detect tampering of source code during build

Harden-Runner monitors file writes and detects if any source code files are overwritten during a build.

**Why is this important?**

* Source code overwrites are unexpected in a release build.
* All source code files are monitored, including infrastructure-as-code (IaC) files such as Kubernetes manifests and Terraform configurations.
* Notifications can be enabled to receive alerts when source code modifications occur.
* No additional changes are needed for self-hosted runners to enable file monitoring.

**How to Detect Source Code Overwrites**

* Click on the workflow insights
* Go to the `File Write Events` tab
* You’ll see a list of overwritten files, including their paths and timestamps.

<figure><img src="/files/L8wcuOpxJ8zj5RV6wifP" alt=""><figcaption></figcaption></figure>

* Identify the file and its path.
* Review the detection timestamp for when the overwrite occurred.
* If unexpected, trigger a security review or rollback to a safe commit.

#### **View baseline status at the pipeline level**

To assess the stability of a pipeline's network behavior, you can use the Baseline feature

A Baseline is created after 100 pipeline runs

**How to Access**

Navigate to the `Baseline` tab under the `Network Events` tab

<figure><img src="/files/270DUhTLZDVneb0pnSda" alt=""><figcaption></figcaption></figure>

The baseline stability status indicates whether a job is making predictable or unpredictable network calls. This is crucial for determining the reliability of detections from that job.

**Baseline Status Categories**

Each job can be in one of the following baseline states:

* Creating – The system is still collecting data to determine the job’s baseline behavior.
* Stable – The job’s network activity is predictable and consistent.
* Unstable – The job’s network activity is erratic and prone to triggering frequent alerts.

#### View process names and arguments <a href="#view-process-names-and-arguments" id="view-process-names-and-arguments"></a>

Get deeper visibility into your CI/CD workflows by viewing all executed process names, Process IDs (PIDs), and process arguments within your environment. This capability is especially useful for forensics and incident response, allowing you to understand what ran and why.

To access this feature switch to the `Process Events` tab on your Insights page

**How it Works**

* Harden-Runner tracks every process that is run during the build process.

<figure><img src="/files/FIh31FuAjyZFNvjAewOb" alt=""><figcaption><p>StepSecurity Insights Process Events page</p></figcaption></figure>

* Clicking on any process ID (PID) in the process events shows the process that caused the event, along with the process argument. You can walk up the process tree to analyze parent-child relationships, helping you detect suspicious activity and understand how processes interact.

<figure><img src="/files/yLGBpn9LrxPkQU6UAUhR" alt=""><figcaption><p>StepSecurity Insights Process Events page showing child processes</p></figcaption></figure>

#### Get live pipeline security recommendations

Get continuous, in-context security insights while your pipeline runs. The Recommendations tab surfaces actionable guidance that links detected anomalous behavior to remediation steps.

<figure><img src="/files/DwiW4n7vuWOWuta8wz9o" alt=""><figcaption></figcaption></figure>

**How it Works**

* Harden Runner tracks runtime behavior: process execution, file writes, network calls, etc.
* When suspicious or anomalous activity is recognized (e.g. unexpected process, unusual outbound connection), the system generates a recommendation in real time.
* Each recommendation ties to a specific job in the pipeline and includes severity, detected activity, and suggested action(s).
* Links to deeper documentation (e.g. Process Monitoring Guide, Harden Runner Installation) are included for further investigation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/azure-devops/harden-runner/pipeline-runs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.