Tailscale posture integration modified or removed
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a Tailscale posture integration has been modified or removed from a tailnet.
Strategy
This rule monitors Tailscale logs for posture integration changes where @target.type is TAILNET and @target.property is POSTURE_INTEGRATION. It triggers on both REMOVE and UPDATE events. Posture integrations enforce device compliance requirements such as disk encryption and OS version. Removing or modifying these integrations could allow non-compliant devices to connect to the tailnet.
Triage and response
- Investigate the user
{{@usr.name}} that modified or removed the posture integration. - Identify which posture integration was changed and assess the impact on device compliance requirements.
- Review other recent changes to tailnet security settings by the same user for a pattern of policy weakening.
- If the activity is not expected, begin your organization’s incident response process and investigate.
