Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Getting to Know AROs

            Introduction 

            This article introduces the concept of AROs, the different types of ARO and provides examples of each type.


            By the end of this article, you’ll be able to:

            • Understand what an ARO is
            • Recognize the different ARO types
            • Prioritize AROs based on severity
            • Know how to respond when an ARO is generated


            This article covers the following topics: 


            To learn more about viewing and working with AROs, visit our knowledge base chapter on AROs.


            Video Overview


            What is an ARO?

            An ARO (Action, Recommendation, or Observation) is a structured alert that highlights relevant security activity in your environment to help you understand what’s happening, and what to do next.


            AROs are designed to:

            • Reduce noise from low-value alerts
            • Highlight meaningful issues
            • Provide clear, actionable guidance


            Why AROs Matter 

            Traditional security tools often generate large volumes of alerts without context, making it difficult to identify what matters.


            AROs address this by:

            • Grouping related data into meaningful insights
            • Providing context about the issue
            • Helping you prioritize and respond effectively


            ARO Types: Action, Recommendation, and Observation

            AROs fall into three categories, each indicating a different level of urgency.

            • Action: Indicates an active or imminent threat that requires immediate attention.
              • Examples:
                • Account Risk – Potential Credential Compromise
                • Endpoint Risk – Malware Detected
                • Endpoint Risk – Exposed RDP Port Detected
            • Recommendation: Highlights risks that could become serious if not addressed.
              • Examples:
                • Endpoint Risk – End-of-Life Operating Systems
                • Account Risk – Weak User Credentials
                • Unencrypted Credentials Detected
            • Observation: Flags early indicators or noteworthy activity for awareness.
              • Examples:
                • Account Risk – New Inbox Rule Detected
                • Account Risk – VPN Authentication Detected
                • Remote Administration Tools Detected


            ARO Severity

            AROs are hierarchic  by nature, but they are also assigned a severity level:

            • Critical
            • High
            • Medium
            • Low
            • Informational


            Severity helps you prioritize your response within each ARO type.


            Example: If you receive two Action AROs (one Critical and one High) you should address the Critical ARO first.


            Next Steps

            To learn how to view and manage AROs, see our Help Center Chapter.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0