This detection rule identifies instances where a user has disabled HTTPS settings on a Tailscale managed tenant. The disabling of HTTPS can expose the organization's data and communications to potential threats. The rule specifically looks for the action of disabling HTTPS settings within the administrative console, logged under Tailscale's audit logs. Notably, the actor's details—including name and login—are recorded along with the date and time of the event. The rule operates by checking for designated log entries that indicate either the disabling action or any other significant events performed by the same user. Given the critical nature of HTTPS for secure communications, the rule is classified with high severity. The corresponding runbook advises on assessing the validity of the action taken by the user and underscores the importance of re-enabling the HTTPS settings promptly if they were disabled without a sound business justification.