This rule detects potential abuse of the Azure Arc Cluster Connect proxy to access Kubernetes secrets or configmaps. It monitors Kubernetes audit logs for operations where the acting user is the Azure Arc proxy service account (system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa) but the actual caller identity is recorded in impersonatedUser. The rule flags non-system access (get/list/read/write/update/patch/delete) to secrets or configmaps, excluding normal Arc management namespaces (azure-arc, azure-arc-release, kube-system) and Helm release secrets (sh.helm.release.v1). It aggregates findings by impersonatedUser and surfaces activity within the last ~9 minutes, helping identify exfiltration or modification attempts via Arc-proxied access. The detection is framed within MITRE ATT&CK techniques: T1552 (Unsecured Credentials) with subtechnique T1552.007 (Container API) for credential access, and T1530 (Data from Cloud Storage) under the Collection tactic, indicating potential data exfiltration or compromise through Arc-facilitated access. Triage and analysis guidance emphasize validating the impersonated identity, verifying the source Azure AD principal, and distinguishing legitimate Arc workflows from adversarial activity. Key investigation steps include examining kubernetes.audit.impersonatedUser.username and kubernetes.audit.impersonatedUser.extra.oid, noting namespaces of the accessed resources, reviewing object names for unusual secrets or configmaps, correlating with Azure Activity Logs for Arc-related operations, and checking sign-in origins for the impersonated identity. Remediation guidance suggests revoking credentials for the impersonated identity if unrecognized, removing related ClusterRoleBinding/RoleBinding permissions, rotating affected secrets, and reassessing or disconnecting Arc connections if compromise is suspected. False positives to consider include normal Arc-managed secret/configmap changes in azure-arc or azure-arc-release namespaces and Helm release secrets created by Arc-managed Helm operations.