This detection rule identifies a high volume of failed force push attempts to protected branches on GitHub by an individual user within a specific timeframe. Such activities could indicate an attacker trying to manipulate commit history to cover up malicious deeds or disrupt ongoing development tasks. The rule operates by monitoring audit logs from GitHub, particularly focusing on the event where a force push attempt is rejected. If a user records five or more failed attempts to perform a force push on protected branches in a short period (9 minutes), the rule triggers an alert. This proactive approach leverages a custom query language (EQL) to filter relevant security events, grouping them by user identity while also collecting additional context like repository and organization details. Overall, the aim is to safeguard critical codebase integrity and maintain operational continuity against potential sabotage via forced commits.