Detects retrieval of Azure VM boot diagnostics data via the control plane by an identity that has not recently performed this operation. Boot diagnostics expose the VM serial console log and a console screenshot, which often contain plaintext boot-time output such as credentials, tokens, cloud-init/agent secrets, and command history. An adversary with VM read/contributor rights can retrieve this data through the management plane without logging into the guest or touching the network, enabling credential discovery or initial access. The rule triggers when an Azure Activity Log event action equals MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION with a successful outcome, and the principal is unusual (not recently seen performing this operation). This supports rapid investigation of potential credential access via cloud-management surface.