Anomalous Outbound Network Calls

Scenario

You received a detection alert for an anomalous outbound network call either via Email/ Slack notification or a failed GitHub Check.

Click on the insights link in the notification or the GitHub Check details.

Reviewing the insights page

To determine the cause of the anomalous network call, follow these steps:

Step 1: Identify the source

  • Review the job and step that triggered the anomalous network call.

  • Locate the specific step in the Insights page and click on it to view the associated build log

StepSecurity Insights page showing Network Events
StepSecurity Insights page showing Network Events

Step 2: Inspect the Process ID (PID)

  • Click on the PID of the process responsible for the anomalous network call to reveal the process arguments.

StepSecurity Insights page showing Network Events
StepSecurity Insights page showing Network Events

Step 3: Check for recent workflow modifications

  • Review any new commits that may have altered the workflow file.

Triage

Based on the above information,

  • If you believe the endpoint is not expected, reach out to your security team or to [email protected]

  • If you believe the endpoint is expected, no action is required. The endpoint will get added to the baseline for this job and you will not be notified of it again

Last updated

Was this helpful?