Tailscale admin console login by previously unseen user

Docs > Plateforme de sécurité Datadog > OOTB Rules > Tailscale admin console login by previously unseen user

This rule is part of a beta feature. To learn more, contact Support.

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a previously unseen user logs into the Tailscale admin console.

Strategy

This rule monitors Tailscale logs where @evt.name is LOGIN and @target.type is ADMIN_CONSOLE. It uses new-value detection on @usr.name to trigger when a user logs into the admin console for the first time. A new admin console login could indicate unauthorized use of valid credentials or a newly compromised account.

Triage and response

Verify that {{@usr.name}} is expected to have admin console access and that the login was legitimate.
Check whether the user is new to the tailnet or an existing user who has not previously used the admin console.
Review the login context, including time, source IP, and device, for consistency with the user’s normal activity.
If the activity is not expected, begin your organization’s incident response process and investigate.

Tailscale admin console login by previously unseen user

Goal

Strategy

Triage and response

How can I help you today?