Tailscale user role updated

This rule is part of a beta feature. To learn more, contact Support.
tailscale

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

Set up the tailscale integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Tailscale user’s role is updated.

Strategy

This rule monitors Tailscale logs for when a user’s role is updated. This could be a privilege escalation vector for an attacker looking to bypass restrictions from a lower privileged user.

Triage and response

  1. Investigate the user {{@usr.email}} that performed the UPDATE action on user {{@target.name}}.
  2. Compare the previous roles {{@old}} with the new role updates containing the {{@new}} role and confirm that they should be assigned to the user {{@target.name}}.
  3. If the activity is deemed malicious:
    • Begin your organization’s incident response process and investigate.