Getting to Know AROs

Introduction

This article introduces the concept of AROs, the different types of ARO, and provides examples of each type.

To learn more about viewing and working with AROs, visit our knowledge base chapter on AROs.

Video - Getting to know AROs
What is an ARO?
ARO Types: Action, Recommendation, and Observation
ARO Severities

Video - Getting to know AROs

What is an ARO?

Cyber security solutions are well known for generating an overwhelming number of alerts, and an overload of information doesn’t necessarily help. Complex security logs lacking context can make issues hard to identify, let alone resolve. When critical security alerts get lost in the noise, it can make matters worse.

To circumvent the issues of traditional solutions, and to provide insights that bring value regardless of technical expertise, Field Effect aggregates and classifies the information it gathers into customized reporting units called AROs (Actions, Recommendations, and Observations).

AROs alert you about the different issues and events taking place across your environment. An individual ARO can be either an Action, Recommendation, or Observation. AROs have several elements (see The Anatomy of an ARO) that contextualize the issue, help you understand what is happening and why it matters, and provides a clear and actionable path to resolving the issue the ARO is reporting on.

This 3-category method (Action, Recommendation, or Observation) is designed to limit the number of alerts your organization receives, as well as help you triage issues. AROs replace high volumes of low-value, and potentially false positive alerts with alerts that are relevant, actionable, and lay out a clear path to resolution.

Using our data analytic expertise, we keep AROs and potentially false positive alerts to an absolute minimum. After the initial setup and security improvement phase, where we analyze and address initial vulnerabilities, most Field Effect users receive only a few alerts per month.

ARO Types: Action, Recommendation, and Observation

As outlined above, the AROs Field Effect MDR generates can be one of three types. The following sections explain each ARO type and provide examples.

Action

Action AROs represent an active or imminent threat to your organization's cybersecurity posture. These AROs should be dealt with immediately as they alert on high-risk issues/vulnerabilities.

Examples of Action AROs include:

Account Risk - Potential Credential Compromise
Endpoint Risk - Malware Detected
Endpoint Risk - Exposed Remote Desktop Protocol (RDP) Port Detected

Recommendation

Recommendation AROs proactively report on risks detected within your organization. The risks associated with a Recommendation ARO have the potential to evolve into bigger issues if left unattended.

Examples of Recommendation AROs include:

Endpoint Risk - End-of-life Operation Systems
Account Risk - Weak User Credentials
Destination File Server Supports a Secure Alternative to FTP - Unencrypted Credentials Detected

Observation

Observation AROs are generated to flag early threat indicators. Examples of Observation AROs include:

Account Risk - New Inbox Rule Detected
Account Risk - VPN Authentication Detected
Tools for Remote Administration Detected

ARO Severities

To provide an extra level of granularity, and to help with triaging, AROs are assigned one of several severity levels: Critical, High, Medium, Low, or Informational. These severity levels are meant to complement the ARO’s type by providing another level of fidelity to help you prioritize several Action, Recommendation, or Observation AROs.

Action AROs tend to have the Critical or High severities, Recommendations usually have High, Medium or Low severities; and Observations tend to have Medium, Low, or Informational severities.

If, for example, you received two Action AROs, one being critical and the other being high severity, you know to focus your efforts on the Action ARO with a critical severity.