> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/github-actions/harden-runner/runbooks/investigating-anomalous-outbound-network-calls.md).

# Investigating Anomalous Outbound Network Calls

### Scenario <a href="#scenario" id="scenario"></a>

You received a detection alert for an anomalous outbound network call either via [Email/ Slack notification](/workspace/settings/notifications.md) or a failed [GitHub Check](/github/github-checks.md).&#x20;

This runbook will help you identify what code or process caused the outbound call.

### Getting Started: Locate the Job and Endpoint&#x20;

* Open the summary page for the detection.&#x20;

<figure><img src="/files/iTFT146BBnxiquW43cmO" alt=""><figcaption></figcaption></figure>

* You can find the details in the "All Detections" section of the Summary page. This section shows:
  * The job in which the anomalous outbound call occurred.
  * The anomalous endpoint (domain or IP address) flagged by StepSecurity.

![](https://ajeuwbhvhr.cloudimg.io/https://colony-recorder.s3.amazonaws.com/files/2025-08-18/03f4449e-0472-438f-9101-d080dd2a4436/ascreenshot.jpeg?tl_px=1495,859\&br_px=3024,1714\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=384,268)

* Click on "View Job Details"

![](https://ajeuwbhvhr.cloudimg.io/https://colony-recorder.s3.amazonaws.com/files/2025-08-18/06dd7341-2967-4981-8cca-69325d16093e/ascreenshot.jpeg?tl_px=1058,0\&br_px=3023,1098\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=968,171)

* This will take you to the Network Events tab, where you can review all the outbound network calls made by that specific job. Use the “Show findings only” toggle to quickly filter and display just the detections, or use the search bar to look up specific events

<figure><img src="/files/QkmJj9f8IcrEKuBnsNAg" alt=""><figcaption></figcaption></figure>

### Step 1: Review Build Logs with Timestamps&#x20;

* Each outbound call has an associated timestamp.&#x20;

<figure><img src="/files/rt7ciqnuYd2m43nOJEqM" alt=""><figcaption></figcaption></figure>

* Open the build log for the affected run

![](https://ajeuwbhvhr.cloudimg.io/https://colony-recorder.s3.amazonaws.com/files/2025-08-18/af1cb058-0663-48d0-accc-9bfc985aaf1b/ascreenshot.jpeg?tl_px=0,541\&br_px=1965,1640\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=420,413)

* Enable timestamps in the UI&#x20;

<figure><img src="/files/Sb500DN7x45x0RJIuwWy" alt=""><figcaption></figcaption></figure>

* Scroll to the time around the outbound call and observe what was happening in the workflow at that point

![](https://ajeuwbhvhr.cloudimg.io/https://colony-recorder.s3.amazonaws.com/files/2025-08-18/15320e4c-61cb-4705-ad75-1e62da8d3eb1/ascreenshot.jpeg?tl_px=271,38\&br_px=3024,1577\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=71,193)

### Step 2: Search for the Domain or IP in Logs&#x20;

* Check if the domain name or IP address from the alert appears in the build log.&#x20;
* Sometimes, build tools or scripts log outbound destinations directly—this can give a direct clue about what triggered the call.&#x20;

<figure><img src="/files/6D9mCaYN2jrCtEvRK63y" alt=""><figcaption></figcaption></figure>

&#x20;

### Step 3: Review Outbound API Call Details&#x20;

* If available, StepSecurity also shows outbound API call details, including the HTTP method (e.g., GET, POST) and the path.

<figure><img src="/files/MH67EIPgCgh1eP4Jnxhx" alt=""><figcaption></figcaption></figure>

* This provides additional context about what operation was attempted (e.g., a POST /upload vs. a GET /version).&#x20;

<figure><img src="/files/2jIXlYNowGTNeTRgdC4R" alt=""><figcaption></figcaption></figure>

* Compare this against the code or build step at that time to see if it matches expected behavior.&#x20;

### Step 4: Inspect the Process Tree in Insights&#x20;

* Go to the Network Events page in StepSecurity.&#x20;
* Click on the PID of the process that made the outbound call.&#x20;

![](https://ajeuwbhvhr.cloudimg.io/https://colony-recorder.s3.amazonaws.com/files/2025-08-18/82d6293e-ab9c-4cc8-962e-4cecba5c8834/ascreenshot.jpeg?tl_px=271,175\&br_px=3024,1714\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=399,436)

* Review the Process Events panel to see the exact command executed and click "View Parent Process (PPID)" to trace back to the parent process

<figure><img src="/files/InZY4NymyQEfF9fspzae" alt=""><figcaption></figcaption></figure>

* Inspect the parent process (e.g., /usr/bin/bash) to see which script or tool launched the outbound call

<figure><img src="/files/aK5RemUSyYo6PSVz4pSv" alt=""><figcaption></figcaption></figure>

### Step 5: Investigate Code, Commits, and GitHub Actions&#x20;

* Check the commit associated with the build to see if the domain or IP is directly referenced in the changes.&#x20;
* If the outbound call correlates to a workflow step that runs a GitHub Action, identify which action it was.&#x20;
  * If it’s a third-party action, inspect the action’s code in its repository to confirm whether the outbound call is expected or suspicious.&#x20;
  * If it’s your own action, check recent changes or dependencies that might have introduced the behavior.&#x20;
* If not found in the commit or the correlated action:&#x20;
  * Search within the repository codebase.&#x20;
  * Expand the search to your organization’s repositories.&#x20;
  * As a last step, check if the domain is mentioned in public repositories (to detect potential supply chain or dependency issues).&#x20;

### Outcome&#x20;

By following these steps, you should be able to trace the anomalous outbound network call back to:&#x20;

* A specific job and workflow step (or GitHub Action),&#x20;
* A process or script executed during the build,&#x20;
* Or a piece of code (commit, repo, dependency) that introduced the outbound behavior.&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/github-actions/harden-runner/runbooks/investigating-anomalous-outbound-network-calls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.