---
title: Tailscale admin console login by previously unseen user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Tailscale admin console login by
  previously unseen user
---

# Tailscale admin console login by previously unseen user

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detect when a previously unseen user logs into the Tailscale [admin console](https://tailscale.com/kb/1months/admin-console/).

## Strategy{% #strategy %}

This rule monitors Tailscale logs where `@evt.name` is `LOGIN` and `@target.type` is `ADMIN_CONSOLE`. It uses new-value detection on `@usr.name` to trigger when a user logs into the admin console for the first time. A new admin console login could indicate unauthorized use of valid credentials or a newly compromised account.

## Triage and response{% #triage-and-response %}

- Verify that `{{@usr.name}}` is expected to have admin console access and that the login was legitimate.
- Check whether the user is new to the tailnet or an existing user who has not previously used the admin console.
- Review the login context, including time, source IP, and device, for consistency with the user's normal activity.
- If the activity is not expected, begin your organization's incident response process and investigate.