Tailscale Schema

        graph LR
A(Tailnet) -- RESOURCE --> U(User)
A -- RESOURCE --> D(Device)
A -- RESOURCE --> PI(PostureIntegration)
A -- RESOURCE --> DP(DevicePosture)
A -- RESOURCE --> DPC(DevicePostureCondition)
A -- RESOURCE --> G(Group)
A -- RESOURCE --> T(Tag)
U -- OWNS --> D
U -- MEMBER_OF --> G
G -- MEMBER_OF --> G
U -- OWNS --> T
G -- OWNS --> T
D -- TAGGED --> T
DP -- HAS_CONDITION --> DPC
DPC -- REQUIRES --> PI
D -- CONFORMS_TO --> DPC
D -- CONFORMS_TO --> DP

TailscaleTailnet

Settings for a tailnet (aka Tenant).

Ontology Mapping: This node has the extra label Tenant to enable cross-platform queries for organizational tenants across different systems (e.g., OktaOrganization, AWSAccount).

Field

Description

id

ID of the Tailnet (name of the organization)

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

devices_approval_on

Whether device approval is enabled for the tailnet.

devices_auto_updates_on

Whether auto updates are enabled for devices that belong to this tailnet.

devices_key_duration_days

The key expiry duration for devices on this tailnet.

users_approval_on

Whether user approval is enabled for this tailnet.

users_role_allowed_to_join_external_tailnets

Which user roles are allowed to join external tailnets.

network_flow_logging_on

Whether network flow logs are enabled for the tailnet.

regional_routing_on

Whether regional routing is enabled for the tailnet.

posture_identity_collection_on

Whether identity collection is enabled for device posture integrations for the tailnet.

Relationships

  • User, Device, PostureIntegration, DevicePosture, DevicePostureCondition, Group, Tag belong to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(
    :TailscaleUser,
    :TailscaleDevice,
    :TailscalePostureIntegration,
    :TailscaleDevicePosture,
    :TailscaleDevicePostureCondition,
    :TailscaleGroup,
    :Tailscale:Tag
)

TailscaleUser

Representation of a user within a tailnet.

Ontology Mapping: This node has the extra label UserAccount to enable cross-platform queries for user accounts across different systems (e.g., OktaUser, AWSSSOUser).

Field

Description

id

The unique identifier for the user.

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

display_name

The name of the user.

login_name

The emailish login name of the user.

email

The email of the user.

profile_pic_url

The profile pic URL for the user.

created

The time the user joined their tailnet.

type

The type of relation this user has to the tailnet associated with the request.

role

The role of the user. Learn more about user roles.

status

The status of the user.

device_count

Number of devices the user owns.

last_seen

The later of either:
- The last time any of the user’s nodes were connected to the network.
- The last time the user authenticated to any tailscale service, including the admin panel.

currently_connected

true when the user has a node currently connected to the control server.

Relationships

  • User belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscaleUser)

  • Device is owned by a User.

    (:TailscaleUser)-[:OWNS]->(:TailscaleDevice)

  • Users are member of a Group

    (:TailscaleUser)-[:MEMBER_OF]->(:TailscaleGroup)

  • Users own a Tag

    (:TailscaleUser)-[:OWNS]->(:TailscaleTag)

TailscaleDevice

A Tailscale device (sometimes referred to as node or machine), is any computer or mobile device that joins a tailnet.

Ontology Mapping: This node has the extra label Device to enable cross-platform queries for devices across different systems (e.g., BigfixComputer, CrowdstrikeHost, KandjiDevice).

Field

Description

id

The preferred identifier for a device

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

name

The MagicDNS name of the device.
Learn more about MagicDNS at https://tailscale.com/kb/1081/.

hostname

The machine name in the admin console.
Learn more about machine names at https://tailscale.com/kb/1098/.

client_version

The version of the Tailscale client
software; this is empty for external devices.

update_available

‘true’ if a Tailscale client version
upgrade is available. This value is empty for external devices.

os

The operating system that the device is running.

created

The date on which the device was added
to the tailnet; this is empty for external devices.

last_seen

When device was last active on the tailnet.

key_expiry_disabled

‘true’ if the keys for the device will not expire.
Learn more at https://tailscale.com/kb/1028/.

expires

The expiration date of the device’s auth key.
Learn more about key expiry at https://tailscale.com/kb/1028/.

authorized

‘true’ if the device has been authorized to join the tailnet; otherwise, ‘false’.
Learn more about device authorization at https://tailscale.com/kb/1099/.

is_external

‘true’, indicates that a device is not a member of the tailnet, but is shared in to the tailnet;
if ‘false’, the device is a member of the tailnet.
Learn more about node sharing at https://tailscale.com/kb/1084/.

node_key

Mostly for internal use, required for select operations, such as adding a node to a locked tailnet.
Learn about tailnet locks at https://tailscale.com/kb/1226/.

blocks_incoming_connections

‘true’ if the device is not allowed to accept any connections over Tailscale, including pings.
Learn more in the “Allow incoming connections” section of https://tailscale.com/kb/1072/.

client_connectivity_endpoints

Client’s magicsock UDP IP:port endpoints (IPv4 or IPv6).

client_connectivity_mapping_varies_by_dest_ip

‘true’ if the host’s NAT mappings vary based on the destination IP.

tailnet_lock_error

Indicates an issue with the tailnet lock node-key signature on this device.
This field is only populated when tailnet lock is enabled.

tailnet_lock_key

The node’s tailnet lock key.
Every node generates a tailnet lock key (so the value will be present) even if tailnet lock is not enabled.
Learn more about tailnet lock at https://tailscale.com/kb/1226/.

serial_number

The first serial number from posture identity, if available

posture_identity_serial_numbers

Posture identification collection

posture_identity_disabled

Device posture identification collection enabled

posture_node_os

Device posture value for node:os.

posture_node_os_version

Device posture value for node:osVersion.

posture_node_ts_auto_update

Device posture value for node:tsAutoUpdate.

posture_node_ts_release_track

Device posture value for node:tsReleaseTrack.

posture_node_ts_state_encrypted

Device posture value for node:tsStateEncrypted.

posture_node_ts_version

Device posture value for node:tsVersion.

posture_ip_country

Device posture value for ip:country.

posture_falcon_zta_score

Device posture value for falcon:ztaScore.

posture_sentinelone_operational_state

Device posture value for sentinelOne:operationalState.

posture_sentinelone_active_threats

Device posture value for sentinelOne:activeThreats.

posture_sentinelone_agent_version

Device posture value for sentinelOne:agentVersion.

posture_sentinelone_encrypted_applications

Device posture value for sentinelOne:encryptedApplications.

posture_sentinelone_firewall_enabled

Device posture value for sentinelOne:firewallEnabled.

posture_sentinelone_infected

Device posture value for sentinelOne:infected.

posture_kolide_auth_state

Device posture value for kolide:authState.

posture_fleet_present

Device posture value for fleet:present.

posture_fleet_policies

List of fleetPolicy:* posture keys present on the device.

posture_huntress_defender_status

Device posture value for huntress:defenderStatus.

posture_huntress_defender_policy_status

Device posture value for huntress:defenderPolicyStatus.

posture_huntress_firewall_status

Device posture value for huntress:firewallStatus.

posture_kandji_mdm_enabled

Device posture value for kandji:mdmEnabled.

posture_kandji_agent_installed

Device posture value for kandji:agentInstalled.

posture_jamfpro_remote_managed

Device posture value for jamfPro:remoteManaged.

posture_jamfpro_supervised

Device posture value for jamfPro:supervised.

posture_jamfpro_firewall_enabled

Device posture value for jamfPro:firewallEnabled.

posture_jamfpro_file_vault_status

Device posture value for jamfPro:fileVaultStatus.

posture_jamfpro_sip_enabled

Device posture value for jamfPro:SIPEnabled.

posture_intune_compliance_state

Device posture value for intune:complianceState.

posture_intune_azure_ad_registered

Device posture value for intune:azureADRegistered.

posture_intune_device_registration_state

Device posture value for intune:deviceRegistrationState.

posture_intune_is_supervised

Device posture value for intune:isSupervised.

posture_intune_is_encrypted

Device posture value for intune:isEncrypted.

posture_intune_managed_device_owner_type

Device posture value for intune:managedDeviceOwnerType.

Relationships

  • Device belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscaleDevice)

  • Device is owned by a User.

    (:TailscaleUser)-[:OWNS]->(:TailscaleDevice)

  • Devices are tagged with Tag

    (:TailscaleDevice)-[:TAGGED]->(:TailscaleTag)

  • Devices can conform to posture conditions and full postures.

    (:TailscaleDevice)-[:CONFORMS_TO]->(:TailscaleDevicePostureCondition)
(:TailscaleDevice)-[:CONFORMS_TO]->(:TailscaleDevicePosture)

TailscaleDevicePosture

Logical posture policy blocks defined in the ACL.

Field

Description

id

Posture ID from the ACL, for example posture:healthySentinelOneMac.

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

name

Posture name without the posture: prefix.

description

Human-readable description generated from the ACL conditions.

Relationships

  • DevicePosture belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscaleDevicePosture)

  • DevicePosture is composed of one or more DevicePostureCondition nodes.

    (:TailscaleDevicePosture)-[:HAS_CONDITION]->(:TailscaleDevicePostureCondition)

  • Devices can conform to the full posture.

    (:TailscaleDevice)-[:CONFORMS_TO]->(:TailscaleDevicePosture)

TailscaleDevicePostureCondition

Atomic posture assertions extracted from ACL posture definitions.

Field

Description

id

Stable condition identifier derived from the posture ID and condition index.

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

name

The posture attribute being evaluated, for example sentinelOne:infected or node:os.

provider

The provider/namespace inferred from the attribute, for example sentinelone or node.

operator

Comparison operator such as ==, IN, or IS SET.

value

Expected comparison value serialized as a string.

Relationships

  • DevicePostureCondition belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscaleDevicePostureCondition)

  • DevicePostureCondition can require a configured posture integration.

    (:TailscaleDevicePostureCondition)-[:REQUIRES]->(:TailscalePostureIntegration)

  • Devices can conform to individual conditions, enabling partial compliance analysis.

    (:TailscaleDevice)-[:CONFORMS_TO]->(:TailscaleDevicePostureCondition)

TailscalePostureIntegration

A configured PostureIntegration.

Field

Description

id

A unique identifier for the integration (generated by the system).

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

provider

The device posture provider.

Required on POST requests, ignored on PATCH requests.

cloud_id

Identifies which of the provider’s clouds to integrate with.

- For CrowdStrike Falcon, it will be one of us-1, us-2, eu-1 or us-gov.
- For Microsoft Intune, it will be one of global or us-gov.
- For Jamf Pro, Kandji and Sentinel One, it is the FQDN of your subdomain, for example mydomain.sentinelone.net.
- For Kolide, this is left blank.

client_id

Unique identifier for your client.

- For Microsoft Intune, it will be your application’s UUID.
- For CrowdStrike Falcon and Jamf Pro, it will be your client id.
- For Kandji, Kolide and Sentinel One, this is left blank.

tenant_id

The Microsoft Intune directory (tenant) ID. For other providers, this is left blank.

config_updated

Timestamp of the last time this configuration was updated, in RFC 3339 format.

status_last_sync

Timestamp of the last synchronization with the device posture provider, in RFC 3339 format.

status_error

If the last synchronization failed, this shows the error message associated with the failed synchronization.

status_provider_host_count

The number of devices known to the provider.

status_matched_count

The number of Tailscale nodes that were matched with provider.

status_possible_matched_count

The number of Tailscale nodes with identifiers for matching.

Relationships

  • PostureIntegration belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscalePostureIntegration)

TailscaleGroup

A group in Tailscale (either group or autogroup).

Ontology Mapping: This node has the extra label UserGroup to enable cross-platform queries for user groups across different systems (e.g., AWSGroup, EntraGroup, GoogleWorkspaceGroup).

Field

Description

id

Group ID (eg. group:example or autogroup:admin)

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

name

The group name (eg. example)

Relationships

  • Group belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscaleGroup)

  • Users are member of a Group

    (:TailscaleUser)-[:MEMBER_OF]->(:TailscaleGroup)

  • Groups are member of a Group

    (:TailscaleGroup)-[:MEMBER_OF]->(:TailscaleGroup)

  • Group own a Tag

    (:TailscaleGroup)-[:OWNS]->(:TailscaleTag)

TailscaleTag

A tag in Tailscale (defined and used by ACL).

Field

Description

id

Tag ID (eg. tag:example)

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

name

The tag name (eg. example)

Relationships

  • Tag belongs to a Tailnet.

    (:TailscaleTailnet)-[:RESOURCE]->(:TailscaleTag)

  • Users own a Tag

    (:TailscaleUser)-[:OWNS]->(:TailscaleTag)

  • Group own a Tag

    (:TailscaleGroup)-[:OWNS]->(:TailscaleTag)

  • Devices are tagged with Tag

    (:TailscaleDevice)-[:TAGGED]->(:TailscaleTag)