Elastic Security Detection Rules

Azure Arc Cluster Credential Access by Identity from Unusual Source

Last updated 8 days ago on 2026-03-10
Created 8 days ago on 2026-03-10

About

Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time.
Tags
Domain: CloudData Source: AzureData Source: Azure ArcData Source: Azure Activity LogsUse Case: Threat DetectionTactic: Initial AccessTactic: Credential AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

False Positive Examples
A service principal used by a CI/CD pipeline may trigger this rule when the pipeline runs from a new IP range for the first time (e.g., migrating to a new runner pool). The 7-day history window will learn the new IPs after the first occurrence. Administrators accessing Arc clusters from a new VPN endpoint or travel location. Validate the caller identity matches an expected user and correlate with known travel or access patterns.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.activitylogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
event.dataset: "azure.activitylogs"
    and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome: (Success or success)

Install detection rules in Elastic Security

Detect Azure Arc Cluster Credential Access by Identity from Unusual Source in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).