/
tailscale_machine_approval_requirements_disabled.yml
87 lines (87 loc) · 3.32 KB
/
tailscale_machine_approval_requirements_disabled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
AnalysisType: rule
Description: A Tailscale User disabled machine approval requirement settings in your organization's tenant. This means devices can access your network without requiring approval.
DisplayName: "Tailscale Machine Approval Requirements Disabled"
Enabled: true
Filename: tailscale_machine_approval_requirements_disabled.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
Reference: https://tailscale.com/kb/1099/device-approval/
Severity: High
Tests:
- ExpectedResult: true
Log:
{
"event":
{
"action": "DISABLE",
"actor":
{
"displayName": "Homer Simpson",
"id": "uhfQwM4CNTRL",
"loginName": "homer.simpson@yourcompany.io",
"type": "USER",
},
"eventGroupID": "6dae044c7a8998599e94657b511d28f9",
"origin": "ADMIN_CONSOLE",
"target":
{
"id": "panther.com",
"name": "panther.com",
"property": "MACHINE_APPROVAL_NEEDED",
"type": "TAILNET",
},
},
"fields": { "recorded": "2023-06-27 22:58:15.824694387" },
"p_any_emails": ["homer.simpson@yourcompany.io"],
"p_any_md5_hashes": ["6dae044c7a8998599e94657b511d28f9"],
"p_any_usernames": ["homersimpson"],
"p_event_time": "2023-06-27 23:02:08.54",
"p_log_type": "Custom.TailscaleAudit",
"p_parse_time": "2023-06-27 23:02:08.54",
"p_row_id": "8ec49771e630f6e8e5fdb28319d95c",
"p_schema_version": 4,
"p_source_id": "3acfbe1d-f7b2-4c3f-a26e-8da418fd29ef",
"p_source_label": "Custom Tailscale Audit",
"p_timeline": "2023-06-27 23:02:08.54",
"p_udm": {},
"time": 1687906694.915,
}
Name: Machine Approval Requirements Disabled
- ExpectedResult: false
Log:
{
"event":
{
"action": "CREATE",
"actor":
{
"displayName": "Homer Simpson",
"id": "uodc9f3CNTRL",
"loginName": "homer.simpson@yourcompany.io",
"type": "USER",
},
"eventGroupID": "9f880e02981e341447958344b7b4071f",
"new": {},
"origin": "ADMIN_CONSOLE",
"target":
{ "id": "k6r3fm3CNTRL", "name": "API key", "type": "API_KEY" },
},
"fields": { "recorded": "2023-07-19 16:11:41.778839718" },
"p_any_actor_ids": ["uodc9f3CNTRL"],
"p_any_emails": ["homer.simpson@yourcompany.io"],
"p_any_usernames": ["homersimpson"],
"p_event_time": "2023-07-19 16:11:41.601000",
"p_log_type": "Tailscale.Audit",
"p_parse_time": "2023-07-19 16:14:56.865276",
"p_row_id": "02eaf97ec9caaaabff8882ba19ad1d",
"p_schema_version": 0,
"p_source_id": "5d65e24a-7ebb-403b-803c-51396e03d201",
"p_source_label": "Tailscale Audit and Network Logs",
"p_udm": {},
"time": "2023-07-19 16:11:41.601000000",
}
Name: Other Event
DedupPeriodMinutes: 60
LogTypes:
- Tailscale.Audit
RuleID: "Tailscale.Machine.Approval.Requirements.Disabled"
Threshold: 1