EXPLORE
Sign In
← Back to Explore
elasticmediumTTP

Azure Arc Cluster Credential Access by Identity from Unusual Source

Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time.

MITRE ATT&CK

T1078T1078.004T1552T1552.007
initial-accesscredential-accessdefense-evasion

Detection Query

data_stream.dataset: "azure.activitylogs"
    and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome: (Success or success)

Author

Elastic

Created

2026/03/10

Data Sources

AzureAzure ArcAzure Activity Logslogs-azure.activitylogs-*

References

Tags

Domain: CloudData Source: AzureData Source: Azure ArcData Source: Azure Activity LogsUse Case: Threat DetectionTactic: Initial AccessTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/03/10"
integration = ["azure"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not
previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc
Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal
credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the
combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines
that rotate IPs but maintain consistent identity-to-IP patterns over time.
"""
false_positives = [
    """
    A service principal used by a CI/CD pipeline may trigger this rule when the pipeline runs from a new IP range for
    the first time (e.g., migrating to a new runner pool). The 7-day history window will learn the new IPs after the
    first occurrence.
    """,
    """
    Administrators accessing Arc clusters from a new VPN endpoint or travel location. Validate the caller identity
    matches an expected user and correlate with known travel or access patterns.
    """,
]
from = "now-9m"
index = ["logs-azure.activitylogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Arc Cluster Credential Access by Identity from Unusual Source"
note = """## Triage and analysis

### Investigating Azure Arc Cluster Credential Access by Identity from Unusual Source

The `listClusterUserCredential` operation on an Azure Arc-connected cluster returns credentials that allow the caller
to establish a proxy tunnel via `az connectedk8s proxy`. This proxy routes kubectl commands through the Azure ARM API,
enabling Kubernetes access without direct network connectivity to the cluster API server.

### Possible investigation steps

- Identify the caller service principal using `azure.activitylogs.identity.claims.appid` and cross-reference with
  Azure AD to determine if this is a known application.
- Check the source IP and geolocation — is this from a country or ASN where your organization operates?
- Correlate with Azure Sign-In Logs around the same time to see the full authentication chain (SP login followed by
  credential listing).
- Verify the Azure role used — the `Azure Arc Enabled Kubernetes Cluster User Role` is required for this operation.
  Was this role recently assigned?
- Check if subsequent Arc-proxied operations (secret/configmap CRUD) occurred after the credential access.
- Review the service principal creation date in Azure AD — recently created SPs are more suspicious.

### Response and remediation

- If the source IP is from an unexpected country or the service principal is not recognized, treat as potential
  credential compromise.
- Revoke the service principal credentials and remove Arc RBAC role assignments.
- Review Kubernetes audit logs for any operations performed through the Arc proxy after credential access.
- Rotate any Kubernetes secrets that may have been accessed.
"""
references = [
    "https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect",
    "https://learn.microsoft.com/en-us/cli/azure/connectedk8s#az-connectedk8s-proxy",
    "https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence",
    "https://nvd.nist.gov/vuln/detail/cve-2022-37968",
]
risk_score = 47
rule_id = "022c37cd-5a4f-422b-8227-b136b7a23180"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: Azure",
    "Data Source: Azure Arc",
    "Data Source: Azure Activity Logs",
    "Use Case: Threat Detection",
    "Tactic: Initial Access",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
data_stream.dataset: "azure.activitylogs"
    and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome: (Success or success)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
    "@timestamp",
    "azure.activitylogs.operation_name",
    "azure.activitylogs.identity.claims.appid",
    "azure.activitylogs.identity.authorization.evidence.role",
    "azure.activitylogs.identity.authorization.evidence.principalType",
    "azure.resource.id",
    "source.ip",
    "source.geo.country_name",
    "source.geo.city_name",
    "source.as.organization.name",
]

[rule.new_terms]
field = "new_terms_fields"
value = ["azure.activitylogs.identity.claims.appid", "source.ip"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"