This rule detects a specific Azure cloud identity attack sequence: a service principal signs into Microsoft Entra ID (Azure AD) and, within a short window, immediately requests Arc cluster credentials via the listClusterUserCredential action. This combination enables a proxy tunnel into Arc-connected Kubernetes clusters using the Arc Connect proxy, representing the exact attack chain used by adversaries who have stolen service principal secrets to pivot into Kubernetes. The rule looks for a sign-in event for a service principal (identified by app_id) followed by a successful Arc credential listing (MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION) within 30 minutes, which is indicative of credential access to Arc-connected resources. It explicitly targets externally authenticated service principals (as opposed to managed identities) and is particularly concerning when the sign-in originates from an unexpected location or ASN. The rule ties to MITRE ATT&CK techniques for Credential Access and Initial Access and provides guidance for investigation and containment steps, including credential rotation, session revocation, and correlation with Arc/Kubernetes activity. This enables rapid detection of post-compromise activity that could lead to Kubernetes cluster exposure via the Arc proxy.