LoFP LoFP / ci/cd pipelines that authenticate as a service principal and then access arc clusters as part of deployment workflows will trigger this rule. identify and exclude known automation service principal app ids.

Techniques

Sample rules

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

Description

Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The listClusterUserCredential action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN.

Detection logic

sequence with maxspan=30m
[authentication where event.dataset == "azure.signinlogs"
    and azure.signinlogs.category == "ServicePrincipalSignInLogs"
    and azure.signinlogs.properties.status.error_code == 0
] by azure.signinlogs.properties.app_id
[any where event.dataset == "azure.activitylogs"
    and azure.activitylogs.operation_name : "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome : ("Success", "success")
] by azure.activitylogs.identity.claims.appid