Tailscale posture integration modified or removed
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a Tailscale posture integration has been modified or removed from a tailnet.
Strategy
This rule monitors Tailscale logs for posture integration changes where @target.type is TAILNET and @target.property is POSTURE_INTEGRATION. It triggers on both REMOVE and UPDATE events. Posture integrations enforce device compliance requirements such as disk encryption and OS version. Removing or modifying these integrations could allow non-compliant devices to connect to the tailnet.
Triage and response
- Investigate the user
{{@usr.name}} that modified or removed the posture integration. - Identify which posture integration was changed and assess the impact on device compliance requirements.
- Review other recent changes to tailnet security settings by the same user for a pattern of policy weakening.
- If the activity is not expected, begin your organization’s incident response process and investigate.
