For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-6i4.md. A documentation index is available at /llms.txt.

Tailscale admin console login by previously unseen user

This rule is part of a beta feature. To learn more, contact Support.
tailscale

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detect when a previously unseen user logs into the Tailscale admin console.

Strategy

This rule monitors Tailscale logs where @evt.name is LOGIN and @target.type is ADMIN_CONSOLE. It uses new-value detection on @usr.name to trigger when a user logs into the admin console for the first time. A new admin console login could indicate unauthorized use of valid credentials or a newly compromised account.

Triage and response

  • Verify that {{@usr.name}} is expected to have admin console access and that the login was legitimate.
  • Check whether the user is new to the tailnet or an existing user who has not previously used the admin console.
  • Review the login context, including time, source IP, and device, for consistency with the user’s normal activity.
  • If the activity is not expected, begin your organization’s incident response process and investigate.