---
title: Tailscale tailnet lock disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Tailscale tailnet lock disabled
---

# Tailscale tailnet lock disabled

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when [Tailnet Lock](https://tailscale.com/kb/1226/tailnet-lock/) has been disabled on a Tailscale tailnet.

## Strategy{% #strategy %}

This rule monitors Tailscale logs where `@evt.name` is `DISABLE`, `@target.type` is `TAILNET`, and `@target.property` is `TAILNET_LOCK`. Tailnet Lock requires nodes to be signed by trusted keys before they can join the network. Disabling it removes this cryptographic verification and could allow unauthorized devices to access the tailnet.

## Triage and response{% #triage-and-response %}

- Investigate the user `{{@usr.name}}` that disabled Tailnet Lock on the tailnet.
- Review change management records for a planned maintenance window or exception for this change.
- Determine which tailnet was affected and whether other compensating controls remain in place.
- If the activity is not expected, begin your organization's incident response process and investigate.