---
title: Tailscale posture integration modified or removed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Tailscale posture integration modified
  or removed
---

# Tailscale posture integration modified or removed

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when a Tailscale [posture integration](https://tailscale.com/kb/1288/device-posture/) has been modified or removed from a tailnet.

## Strategy{% #strategy %}

This rule monitors Tailscale logs for posture integration changes where `@target.type` is `TAILNET` and `@target.property` is `POSTURE_INTEGRATION`. It triggers on both `REMOVE` and `UPDATE` events. Posture integrations enforce device compliance requirements such as disk encryption and OS version. Removing or modifying these integrations could allow non-compliant devices to connect to the tailnet.

## Triage and response{% #triage-and-response %}

- Investigate the user `{{@usr.name}}` that modified or removed the posture integration.
- Identify which posture integration was changed and assess the impact on device compliance requirements.
- Review other recent changes to tailnet security settings by the same user for a pattern of policy weakening.
- If the activity is not expected, begin your organization's incident response process and investigate.