Detects when a service principal or user calls the Azure Arc cluster credential listing operation (listClusterUserCredential) from a source IP address not previously associated with that identity. This operation discloses credentials used to proxy kubectl access via the Azure ARM API, which adversaries may leverage after harvesting service principal credentials. The rule evaluates Azure Activity Logs (azure.activitylogs) for the MICR0SOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION action with a successful outcome, and correlates the caller identity to the source IP. To reduce false positives from legitimate but IP-rotating systems, it maintains a seven-day history of identity-to-IP mappings and flags only anomalies that deviate from this baseline within a recent window (now minus 9 minutes). The rule maps to MITRE ATT&CK techniques T1078 (Valid Accounts, with T1078.004 Cloud Accounts) and T1552.007 (Unsecured Credentials, Container API) under Initial Access and Credential Access respectively. Triage guidance covers identity verification, IP geolocation/ASN checks, correlation with sign-in events, and validation of the Arc RBAC posture. Remediation guidance includes revoking credentials, removing Arc RBAC roles, auditing Arc proxy usage, and rotating potentially exposed Kubernetes secrets.