Tailscale Log Monitoring

Integration Overview

Tailscale is a fast and reliable VPN service that provides secure remote access to shared resources through peer-to-peer mesh networks (called tailnets). Panther can collect, normalize, and monitor Tailscale logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.

Use Cases for Tailscale Logs

Panther offers native support for Tailscale’s audit and network flow log types. Tailscale audit logs capture information and timestamps for user actions in your tailnet, while network flow logs help you understand which nodes connected to which other nodes, and when, on your Tailscale network. Common SIEM use cases for monitoring these log types include:

  • Monitoring for any changes to Magic DNS settings
  • Detecting when HTTPS Certificate settings are disabled
  • Identifying when Machine Approval Requirement settings are disabled

Onboarding Tailscale Logs in Panther

Panther’s integration for Tailscale is simple to configure, allowing you to onboard logs in just a few minutes. You'll first create a new log source in Panther, then create a new Log Stream in Tailscale and choose Panther from the list of destinations to send events to a Panther HTTP endpoint.

For more detailed steps on onboarding Tailscale logs or for supported log schema, you can view our Tailscale documentation here.

Normalizing & Analyzing Tailscale Logs

As Panther ingests Tailscale logs, they are parsed, normalized, and stored in a Snowflake security data lake. This empowers security teams to craft detections, identify anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.

Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate and investigate data across all log types. For more on searching log data in Panther, check out our documentation on Investigations & Search.

Detection as Code

With Panther, your team won’t be confined to rigid detection rules as seen in many SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.

A number of pre-built detections for Tailscale are available by default in Panther, offering you the ability to immediately monitor your Tailscale network for common vulnerabilities. You can explore our built-in detection coverage for Tailscale logs here.

Configuring Alerts

Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any Tailscale alerts. Alerts can also be forwarded to alert context or SOAR platforms for more remediation options.

Alerts are categorized in five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring Tailscale logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring Tailscale logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring Tailscale.

Protect Your Tailscale Environment

With Panther, security teams don’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud app data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for Tailscale, request a demo today

Escape Cloud Noise. Detect Security Signal.
Request a Demo