Monitoring Tailscale Network & Audit Logs with Panther

Panther is thrilled to announce a powerful new integration with Tailscale. This cutting-edge collaboration enables users to stream logs directly from Tailscale to Panther, providing suspicious behavior detection without custom configuration.

Panther users can also create custom alerts from Tailscale network and audit logs, allowing faster incident response and painless remediation. By streaming logs directly from Tailscale, no infrastructure or other special setup is needed to equip users with a robust tool that significantly enhances security and visibility across Tailscale network and audit logs.

Out-of-the-Box Detection Content

Panther provides a range of ready-to-use detections that help cover an array of potential security issues. We’ve written the following detections to help you get started quickly with monitoring your Tailscale instance.

• Magic DNS Disabled
  This covers a security scenario in which a registered Tailscale user, already a part of your organization’s tenant, disables Magic DNS settings across the entire tenant. Magic DNS automatically registers domain names for devices in your Tailnet, allowing analysts to use a machine’s name instead of its IP address. The disabling of this feature could be an indicator of compromised credentials or a potential insider threat incident.
  
  
• HTTPS Disabled
  This detection is triggered when a registered Tailscale user disables the HTTPS Certificate setting across the entire tenant. This setting allows users to provision HTTPS certificates for their devices, and disabling of this feature could indicate misconfiguration whether accidental or intentional.
  
  
• Machine Approval Requirements Disabled
  This detection fires when a registered Tailscale user disables Machine Approval Requirement settings across the entire tenant. This means your organization no longer requires new devices to be approved by admins before they can access your network, and could be an indicator of compromised credentials, misconfiguration, or an insider threat incident.

Amplifying Security through Integrations

Panther’s collaboration with Tailscale is another step towards achieving complete visibility of your network. By combining Tailscale’s privacy and security features with Panther’s user-friendly, web-based dashboard and alerting systems, cross-application events become more significant rather than isolated incidents.

The integration of Panther and Tailscale enables a more secure and efficiently monitored network by default, right out of the box.

Simple Setup

1. Create a new Tailscale integration in Panther

2. Connect the stream by selecting on the Panther option in Tailscale and filling in the URL and token from the Panther Side

3. Logs will stream directly into Panther

Monitor Your Tailscale Environment with Panther

Panther’s integration with Tailscale is available to all customers as of release v1.74. You can read more about ingesting Tailscale logs into Panther and supported schema within our documentation.

If you’re not currently a Panther customer and would like to maximize your security and visibility across Tailscale network and audit logs, sign up for a 30-day free trial or request a demo to get started.