Tailscale tailnet lock disabled

This rule is part of a beta feature. To learn more, contact Support.
tailscale

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when Tailnet Lock has been disabled on a Tailscale tailnet.

Strategy

This rule monitors Tailscale logs where @evt.name is DISABLE, @target.type is TAILNET, and @target.property is TAILNET_LOCK. Tailnet Lock requires nodes to be signed by trusted keys before they can join the network. Disabling it removes this cryptographic verification and could allow unauthorized devices to access the tailnet.

Triage and response

  • Investigate the user {{@usr.name}} that disabled Tailnet Lock on the tailnet.
  • Review change management records for a planned maintenance window or exception for this change.
  • Determine which tailnet was affected and whether other compensating controls remain in place.
  • If the activity is not expected, begin your organization’s incident response process and investigate.