Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Tailscale Configuration Audit Logs | ✅ | ✅ | tailscale_configuration_audit_logs | NDJSON | S3 | ||
Tailscale Network Flow Logs | ✅ | ✅ | ✅ | tailscale_network_flow_logs | NDJSON | S3 |
Overview
Tailscale is an identity-based connectivity platform for building secure private networks across users, devices, servers, containers, and cloud environments without relying on a traditional VPN perimeter. It uses a tailnet model to connect resources over encrypted paths and provides centralized administration, access controls, 
device visibility, and logging. Tailscale also supports exporting and streaming security-relevant telemetry, including configuration audit logs and network flow logs, to storage or Hunters SIEM destinations for monitoring, investigation, and compliance use cases.
Tailscale integration in a security platform should be understood as normalization integration for tailnet administration and traffic telemetry. It helps organizations monitor changes to tailnet configuration, track device and user activity that affects connectivity, and analyze flow-level network activity between Tailscale nodes, exit nodes, subnet routers, and external destinations. This makes the integration useful for security operations, threat detection, access review, troubleshooting, and incident response.
Send data to Hunters
Hunters supports the ingestion of Tailscale Configuration Audit Logs and Tailscale Network Flow Logs via an intermediary AWS S3 bucket
To connect Tailscale Logs:
Connect using S3
Export your logs from Tailscale to an AWS S3 bucket.
Once the export is completed and the logs are collected in S3, follow the steps in this section.
Supported data types
Tailscale Configuration Audit Logs
Table name: tailscale_configuration_audit_logs
Tailscale List configuration audit logs returns audit records for actions that modify or affect a tailnet’s configuration. These logs show who did what, to which resource, and when, and typically include the action, actor, target resource, timestamps, and related metadata. They are intended for tracking administrative and control-plane changes such as device or node changes, policy-related updates, approvals, and other tailnet configuration events. Tailscale positions these logs for long-term storage, security analysis, threat detection, and incident investigation, and they can also be streamed to Hunters’ SIEM systems.
Expected format
Logs are expected in NDJSON format.
{"action":"CREATE","actor":{"displayName":"John Doe","id":"uZKk3KSfrH11DEVEL","loginName":"john.doe@example.com","type":"USER"},"deferredAt":"0001-01-01T00:00:00Z","eventGroupID":"0378d8f57300d172ef7ae3826e097ef0","eventTime":"2024-06-06T15:25:26.583893Z","origin":"ADMIN_CONSOLE","target":{"id":"nBLYviWLGB21DEVEL","isEphemeral":true,"name":"abc-ejd-dsb.net.io","type":"NODE"},"type":"CONFIG"}Tailscale Network Flow Logs
Table name: tailscale_network_flow_logs
Tailscale List network flow logs returns flow-level telemetry that shows how nodes in a tailnet communicate over time. These logs capture metadata about network traffic, not packet contents, and include time windows plus flow summaries such as source and destination addresses, protocol, packet counts, and byte counts. Depending on the traffic type, records may include virtual traffic between Tailscale nodes, physical traffic that reflects underlay transport behavior, and exit traffic for traffic routed through exit nodes. These logs are designed to help teams understand connectivity patterns, investigate incidents, detect threats, troubleshoot networking issues, and feed downstream analytics or Hunters SIEM pipelines.
Expected format
Logs are expected in NDJSON format.
{"logged":"2024-06-06T15:27:26.583893Z","nodeId":"ajdfnWEWERjknlk","start":"2024-06-06T15:25:26.583893Z","end":"2024-06-06T15:26:26.583893Z","virtualTraffic":[{"proto":"ipv4","src":"1.O.3.22:2341","dst":"1.O.33.O:98","txPkts":10,"txBytes":10000,"rxPkts":10,"rxBytes":10000}],"subnetTraffic":[{"proto":"ipv4","src":"1.O.3.22:2341","dst":"1.O.33.O:98","txPkts":10,"txBytes":10000,"rxPkts":10,"rxBytes":10000}],"exitTraffic":[{"proto":"ipv4","src":"1.O.3.22:2341","dst":"1.O.33.O:98","txPkts":10,"txBytes":10000,"rxPkts":10,"rxBytes":10000}],"physicalTraffic":[{"proto":"ipv4","src":"1.O.3.22:2341","dst":"1.O.33.O:98","txPkts":10,"txBytes":10000,"rxPkts":10,"rxBytes":10000}]}