LoFP / a service principal used by a ci/cd pipeline may trigger this rule when the pipeline runs from a new ip range for the first time (e.g., migrating to a new runner pool). the 7-day history window will learn the new ips after the first occurrence.

Techniques

• T1078
• T1552

Sample rules

Azure Arc Cluster Credential Access by Identity from Unusual Source

• source: elastic
• technicques:
  • T1078
  • T1552

Description

Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The listClusterUserCredential action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time.

Detection logic

event.dataset: "azure.activitylogs"
    and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome: (Success or success)