Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

Status: production
Severity: medium
Time window: 30m
Sequence by: azure.activitylogs.identity.claims.appid, azure.signinlogs.properties.app_id
Author: Elastic
Source: github.com/elastic/detection-rules

Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The listClusterUserCredential action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078.004` Valid Accounts: Cloud Accounts
Credential Access	`T1528` Steal Application Access Token, `T1552.007` Unsecured Credentials: Container API

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Anomalous sign-in location by user account and authenticating application (Kusto)
Anomalous Single Factor Signin (Kusto)
Authentications of Privileged Accounts Outside of Expected Controls (Kusto)
Azure Many Failed SignIns (Panther)
Azure Portal sign in from another Azure Tenant (Kusto)
Azure SignIn via Legacy Authentication Protocol (Panther)
Detect non-admin requesting token for admin applications (Kusto)
Discovery Using AzureHound (Sigma)

Rule body elastic

[metadata]
creation_date = "2026/03/10"
integration = ["azure"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure
Arc-connected Kubernetes cluster within a short time window. The `listClusterUserCredential` action retrieves tokens
that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by
Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets
to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to
managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in
originates from an unexpected location or ASN.
"""
false_positives = [
    """
    CI/CD pipelines that authenticate as a service principal and then access Arc clusters as part of deployment
    workflows will trigger this rule. Identify and exclude known automation service principal app IDs.
    """,
    """
    Administrators using service principal credentials to manage Arc-connected clusters during maintenance windows may
    trigger this rule. Correlate with change management records.
    """,
]
from = "now-30m"
index = ["logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
interval = "15m"
language = "eql"
license = "Elastic License v2"
name = "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access"
note = """## Triage and analysis

### Investigating Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

This rule detects the complete attack entry point for Arc-proxied Kubernetes attacks: a service principal authenticates
to Azure AD, then immediately retrieves Arc cluster credentials. This is the prerequisite sequence before any
Kubernetes-level activity can occur through the Arc proxy.

### Possible investigation steps

- Identify the service principal using the `app_id` from the sign-in event and resolve it in Azure AD — is this a
  known application?
- Check the sign-in source IP and geolocation — does it match expected infrastructure locations for this SP?
- Review when the SP credentials were last rotated — stale credentials are more likely compromised.
- Check the ASN of the sign-in source — is it from a known cloud provider, corporate network, or unexpected consumer ISP?
- Examine Azure Activity Logs after the credential listing for any Arc-proxied operations (secret/configmap CRUD).
- Correlate with Kubernetes audit logs for operations by the Arc proxy service account
  (`system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa`) in the same time window.
- Review Azure AD Audit Logs for recent changes to this SP (new credentials, federated identities, owner changes).

### Response and remediation

- Immediately rotate the service principal credentials (secrets and certificates).
- Revoke active sessions and tokens for the SP.
- Review and remove any unauthorized Azure role assignments on Arc-connected clusters.
- Check Kubernetes audit logs for any operations performed through the Arc proxy after credential access.
- Rotate any Kubernetes secrets that may have been accessed through the proxy tunnel.
- Enable conditional access policies to restrict service principal authentication by location if supported.
"""
references = [
    "https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect",
    "https://learn.microsoft.com/en-us/cli/azure/connectedk8s#az-connectedk8s-proxy",
    "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins",
    "https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence",
    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/",
]
risk_score = 47
rule_id = "dacfbecd-7927-46a7-a8ba-feb65a2e990d"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: Identity",
    "Data Source: Azure",
    "Data Source: Azure Arc",
    "Data Source: Microsoft Entra ID",
    "Data Source: Microsoft Entra ID Sign-In Logs",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Tactic: Initial Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence with maxspan=30m
[authentication where data_stream.dataset == "azure.signinlogs"
    and azure.signinlogs.category == "ServicePrincipalSignInLogs"
    and azure.signinlogs.properties.status.error_code == 0
] by azure.signinlogs.properties.app_id
[any where data_stream.dataset == "azure.activitylogs"
    and azure.activitylogs.operation_name : "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome : ("Success", "success")
] by azure.activitylogs.identity.claims.appid
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.investigation_fields]
field_names = [
    "@timestamp",
    "azure.signinlogs.properties.app_id",
    "azure.signinlogs.properties.app_display_name",
    "azure.signinlogs.properties.service_principal_name",
    "azure.signinlogs.category",
    "azure.activitylogs.operation_name",
    "azure.activitylogs.identity.claims.appid",
    "azure.resource.id",
    "source.ip",
    "source.geo.country_name",
    "source.geo.city_name",
    "source.as.organization.name",
]

Stages and Predicates

Ordered sequence: each step below must occur in order within 30m, correlated by azure.activitylogs.identity.claims.appid, azure.signinlogs.properties.app_id.

Stage 1: `authentication`

[authentication where data_stream.dataset == "azure.signinlogs"
    and azure.signinlogs.category == "ServicePrincipalSignInLogs"
    and azure.signinlogs.properties.status.error_code == 0
]

Stage 2: `any`

[any where data_stream.dataset == "azure.activitylogs"
    and azure.activitylogs.operation_name : "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION"
    and event.outcome : ("Success", "success")
]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`azure.activitylogs.operation_name`	wildcard	`MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION`
`azure.signinlogs.category`	eq	`ServicePrincipalSignInLogs`
`azure.signinlogs.properties.status.error_code`	eq	`0`
`data_stream.dataset`	eq	`azure.activitylogs` `azure.signinlogs`
`event.outcome`	wildcard	`Success` `success`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

MITRE ATT&CK coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `authentication`

Stage 2: `any`

Indicators

Keyboard shortcuts

Search operators

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

MITRE ATT&CK coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: authentication

Stage 2: any

Indicators

Stage 1: `authentication`

Stage 2: `any`