LoFP / administrators accessing arc clusters from a new vpn endpoint or travel location. validate the caller identity matches an expected user and correlate with known travel or access patterns.

Techniques

• T1078
• T1552

Sample rules

Azure Arc Cluster Credential Access by Identity from Unusual Source

• source: elastic
• technicques:
  • T1078
  • T1552

Description

Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The listClusterUserCredential action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time.

Detection logic

event.dataset: "azure.activitylogs"
    and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome: (Success or success)