-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Add tailscale ccf solution #14482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
noodlemctwoodle
wants to merge
28
commits into
Azure:master
Choose a base branch
from
noodlemctwoodle:add-tailscale-ccf-solution
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Add tailscale ccf solution #14482
Changes from all commits
Commits
Show all changes
28 commits
Select commit
Hold shift + click to select a range
73b4787
Add Tailscale (CCF) solution
noodlemctwoodle f556403
Tailscale (CCF): add hunting queries + Standard/Premium workbooks
noodlemctwoodle a97e95f
Tailscale (CCF): pre-emptive CI fixes (mirrors UniFi PR fix-up)
noodlemctwoodle 05a01ef
Tailscale (CCF): rename to *_Audit_CL, fix OAuth, add 5 Premium rules
noodlemctwoodle 4e1dc8a
Tailscale (CCF): rename network-tier hunting queries to 'Tailscale Pr…
noodlemctwoodle 7e261e9
Tailscale (CCF): full Free/Standard coverage (9 pollers, 8 tables, 16…
noodlemctwoodle 7f7272b
Tailscale Premium (CCF): full expansion to 11 pollers + posture content
noodlemctwoodle d47c4a5
Tailscale (CCF): merge 3 DNS tables into single Tailscale_Dns_CL
noodlemctwoodle 630a82d
Tailscale (CCF): redesign workbooks to match UniFi visual style
noodlemctwoodle 808e032
Tailscale (CCF): switch /devices poller to ?fields=all (expose routes)
noodlemctwoodle 147721b
Tailscale (CCF): fix Settings panel - readable values + tier-correct …
noodlemctwoodle d6e72e3
Tailscale (CCF): add 4 analytic rules + 4 hunts on new device fields
noodlemctwoodle b296bcd
fix(tailscale): pre-emptive CI compliance (mirror UniFi Copilot review)
noodlemctwoodle bc258a6
fix(tailscale): connector publisher 'Custom' -> 'Community'
noodlemctwoodle ccb8266
feat(tailscale): rebuild Standard workbook with 9-tab forensic UX
noodlemctwoodle 7c3ee1f
feat(tailscale): finalize 3.0.0 for upstream PR submission
noodlemctwoodle 40c18b8
docs(tailscale): credit Tailscale for tailnet upgrade enabling Premiu…
noodlemctwoodle caabafc
docs(tailscale): refine Tailscale acknowledgement - flow logs, no tri…
noodlemctwoodle 7edc476
docs(tailscale): tighten Tailscale acknowledgement to generic thanks
noodlemctwoodle dff0769
docs(tailscale): sync README with current content counts and schema
noodlemctwoodle a1221a9
docs(tailscale): drop VPN-tunnel-events bullet, sync Premium counts
noodlemctwoodle 8c33407
docs(tailscale): replace fictional ASIM-parser claim with a planned-w…
noodlemctwoodle 0beedf0
feat(tailscale): add vimNetworkSessionTailscale ASIM NetworkSession p…
noodlemctwoodle 35c26ce
fix(tailscale): align CustomTables schemas + finish hunt description …
noodlemctwoodle 9ca7207
Merge remote-tracking branch 'upstream/master' into add-tailscale-ccf…
noodlemctwoodle 63221a6
chore(tailscale): regenerate Package/ against current upstream V3 too…
noodlemctwoodle c0089a1
fix(tailscale): address PR #14482 Copilot review feedback
noodlemctwoodle 74a07e6
fix(tailscale): resolve PR #14482 CI build failures (KQL + logo)
noodlemctwoodle File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Audit_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { "Name": "Tailscale_Audit_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "EventTime", "Type": "datetime" }, | ||
| { "Name": "EventGroupID", "Type": "string" }, | ||
| { "Name": "EventType", "Type": "string" }, | ||
| { "Name": "ActionDetails", "Type": "string" }, | ||
| { "Name": "Actor", "Type": "dynamic" }, | ||
| { "Name": "Action", "Type": "string" }, | ||
| { "Name": "Target", "Type": "dynamic" }, | ||
| { "Name": "Origin", "Type": "dynamic" }, | ||
| { "Name": "New", "Type": "dynamic" }, | ||
| { "Name": "Old", "Type": "dynamic" } | ||
| ]} |
121 changes: 121 additions & 0 deletions
121
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Devices_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| { | ||
| "Name": "Tailscale_Devices_CL", | ||
| "Properties": [ | ||
| { | ||
| "Name": "TenantId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "SourceSystem", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "TimeGenerated", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "DeviceId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "DeviceName", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "Hostname", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "User", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "Os", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "ClientVersion", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "UpdateAvailable", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "Authorized", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "IsExternal", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "Created", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "LastSeen", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "Expires", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "KeyExpiryDisabled", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "BlocksIncomingConnections", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "Addresses", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "Tags", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "EnabledRoutes", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "AdvertisedRoutes", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "ClientConnectivity", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "MachineKey", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "NodeKey", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "Distro", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "SshEnabled", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "ConnectedToControl", | ||
| "Type": "bool" | ||
| }, | ||
| { | ||
| "Name": "TailnetLockKey", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "TailnetLockError", | ||
| "Type": "string" | ||
| } | ||
| ] | ||
| } |
10 changes: 10 additions & 0 deletions
10
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Dns_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| { "Name": "Tailscale_Dns_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "ConfigType", "Type": "string" }, | ||
| { "Name": "Nameservers", "Type": "dynamic" }, | ||
| { "Name": "MagicDNS", "Type": "bool" }, | ||
| { "Name": "SearchPaths", "Type": "dynamic" } | ||
| ]} |
53 changes: 53 additions & 0 deletions
53
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Keys_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| { | ||
| "Name": "Tailscale_Keys_CL", | ||
| "Properties": [ | ||
| { | ||
| "Name": "TenantId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "SourceSystem", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "TimeGenerated", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "KeyId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "Description", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "UserId", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "Created", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "Expires", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "Revoked", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "Capabilities", | ||
| "Type": "dynamic" | ||
| }, | ||
| { | ||
| "Name": "KeyType", | ||
| "Type": "string" | ||
| }, | ||
| { | ||
| "Name": "ExpirySeconds", | ||
| "Type": "int" | ||
| } | ||
| ] | ||
| } |
32 changes: 32 additions & 0 deletions
32
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Network_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { "Name": "Tailscale_Network_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "NodeId", "Type": "string" }, | ||
| { "Name": "FlowStart", "Type": "datetime" }, | ||
| { "Name": "FlowEnd", "Type": "datetime" }, | ||
| { "Name": "SrcNode", "Type": "dynamic" }, | ||
| { "Name": "SrcUser", "Type": "string" }, | ||
| { "Name": "SrcNodeName", "Type": "string" }, | ||
| { "Name": "SrcOs", "Type": "string" }, | ||
| { "Name": "SrcTags", "Type": "dynamic" }, | ||
| { "Name": "SrcAddresses", "Type": "dynamic" }, | ||
| { "Name": "DstNodes", "Type": "dynamic" }, | ||
| { "Name": "DstCount", "Type": "int" }, | ||
| { "Name": "DstNodeId", "Type": "string" }, | ||
| { "Name": "DstNodeName", "Type": "string" }, | ||
| { "Name": "DstUser", "Type": "string" }, | ||
| { "Name": "DstOs", "Type": "string" }, | ||
| { "Name": "DstTags", "Type": "dynamic" }, | ||
| { "Name": "DstAddresses", "Type": "dynamic" }, | ||
| { "Name": "VirtualTraffic", "Type": "dynamic" }, | ||
| { "Name": "SubnetTraffic", "Type": "dynamic" }, | ||
| { "Name": "ExitTraffic", "Type": "dynamic" }, | ||
| { "Name": "PhysicalTraffic", "Type": "dynamic" }, | ||
| { "Name": "HasVirtualTraffic", "Type": "bool" }, | ||
| { "Name": "HasSubnetTraffic", "Type": "bool" }, | ||
| { "Name": "HasExitTraffic", "Type": "bool" }, | ||
| { "Name": "HasPhysicalTraffic", "Type": "bool" }, | ||
| { "Name": "IsRelayed", "Type": "bool" } | ||
| ]} |
13 changes: 13 additions & 0 deletions
13
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_PostureIntegrations_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| { "Name": "Tailscale_PostureIntegrations_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "IntegrationId", "Type": "string" }, | ||
| { "Name": "Provider", "Type": "string" }, | ||
| { "Name": "CloudId", "Type": "string" }, | ||
| { "Name": "ClientId", "Type": "string" }, | ||
| { "Name": "TenantId_Provider", "Type": "string" }, | ||
| { "Name": "ConfigOverwrites", "Type": "dynamic" }, | ||
| { "Name": "Status", "Type": "dynamic" } | ||
| ]} |
14 changes: 14 additions & 0 deletions
14
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Settings_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| { "Name": "Tailscale_Settings_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "DevicesApprovalOn", "Type": "bool" }, | ||
| { "Name": "DevicesAutoUpdatesOn", "Type": "bool" }, | ||
| { "Name": "DevicesKeyDurationDays", "Type": "int" }, | ||
| { "Name": "UsersApprovalOn", "Type": "bool" }, | ||
| { "Name": "UsersRoleAllowedToJoinExternalTailnets", "Type": "string" }, | ||
| { "Name": "NetworkFlowLoggingOn", "Type": "bool" }, | ||
| { "Name": "RegionalRoutingOn", "Type": "bool" }, | ||
| { "Name": "PostureIdentityCollectionOn", "Type": "bool" } | ||
| ]} |
18 changes: 18 additions & 0 deletions
18
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Users_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| { "Name": "Tailscale_Users_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "UserId", "Type": "string" }, | ||
| { "Name": "DisplayName", "Type": "string" }, | ||
| { "Name": "LoginName", "Type": "string" }, | ||
| { "Name": "TailnetId", "Type": "string" }, | ||
| { "Name": "UserType", "Type": "string" }, | ||
| { "Name": "Role", "Type": "string" }, | ||
| { "Name": "Status", "Type": "string" }, | ||
| { "Name": "DeviceCount", "Type": "int" }, | ||
| { "Name": "Created", "Type": "datetime" }, | ||
| { "Name": "LastSeen", "Type": "datetime" }, | ||
| { "Name": "CurrentlyConnected", "Type": "bool" }, | ||
| { "Name": "ProfilePicUrl", "Type": "string" } | ||
| ]} |
13 changes: 13 additions & 0 deletions
13
.script/tests/KqlvalidationsTests/CustomTables/Tailscale_Webhooks_CL.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| { "Name": "Tailscale_Webhooks_CL", | ||
| "Properties":[ | ||
| { "Name": "TenantId", "Type": "string" }, | ||
| { "Name": "SourceSystem", "Type": "string" }, | ||
| { "Name": "TimeGenerated", "Type": "datetime" }, | ||
| { "Name": "EndpointId", "Type": "string" }, | ||
| { "Name": "EndpointUrl", "Type": "string" }, | ||
| { "Name": "ProviderType", "Type": "string" }, | ||
| { "Name": "CreatorLoginName", "Type": "string" }, | ||
| { "Name": "Created", "Type": "datetime" }, | ||
| { "Name": "LastModified", "Type": "datetime" }, | ||
| { "Name": "Subscriptions", "Type": "dynamic" } | ||
| ]} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
42 changes: 42 additions & 0 deletions
42
Solutions/Tailscale (CCF)/Analytic Rules/TailscaleAuthkeycreated.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| id: 6b052c8d-5de8-eab0-1956-69a297765a32 | ||
| name: "Tailscale: Auth key created" | ||
| description: | | ||
| Identifies when a new Tailscale auth key is generated. Auth keys allow unattended device enrollment into the tailnet - confirm it was expected and revoke if not. | ||
| severity: Low | ||
| status: Available | ||
| requiredDataConnectors: | ||
| - connectorId: TailscaleCCF | ||
| dataTypes: | ||
| - Tailscale_Audit_CL | ||
| queryFrequency: 15m | ||
| queryPeriod: 15m | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - Persistence | ||
| relevantTechniques: | ||
| - T1098 | ||
| query: | | ||
| Tailscale_Audit_CL | ||
| | where Action == "CREATE" | ||
| | where tostring(Target.type) == "AUTH_KEY" | ||
| | extend ActorLogin = tostring(Actor.loginName) | ||
| | extend KeyDescription = tostring(New.description) | ||
| | extend Reusable = tostring(New.reusable) | ||
| | extend Ephemeral = tostring(New.ephemeral) | ||
| | project TimeGenerated, ActorLogin, KeyDescription, Reusable, Ephemeral, Origin, New | ||
| entityMappings: | ||
| - entityType: Account | ||
| fieldMappings: | ||
| - identifier: FullName | ||
| columnName: ActorLogin | ||
| incidentConfiguration: | ||
| createIncident: true | ||
| groupingConfiguration: | ||
| enabled: true | ||
| reopenClosedIncident: false | ||
| lookbackDuration: 5h | ||
| matchingMethod: AllEntities | ||
| groupByEntities: [] | ||
| kind: Scheduled | ||
| version: 1.0.0 |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.