Working with AROs

Video
The ARO Workflow
Finding Closed AROs

Introduction

AROs are Field Effect MDR's core reporting mechanism we use to inform you that an issue had been detected that relates to your organization's cyber security posture. They are presented in the Portal like emails; the MDR Portal's AROs page lists all of your AROs, and they all have in depth descriptions and mitigations steps to help you resolve the issue. To learn more about the concept of AROs, visit Getting to Know AROs and our knowledge base chapter on AROs.

Keeping with the email analogy, much like you would delete or archive an email when it's been addressed, AROs should be either closed, resolved, or dismissed once you address the root issue.

This article describes the status an ARO can have, and how to close, resolve, or dismiss an ARO as you address them.

Video

The ARO Workflow

The following sections of this article walk through the workflow of an ARO; from receiving the ARO to all of the potential ways it can be addressed: Request Help, Close (Dismiss/Resolve).

Receiving an ARO

Whenever Field Effect MDR generates an ARO, it will be sent to the MDR portal in an Open status. The issues causing an ARO can vary greatly, so the time it takes to address an ARO will also very, but every ARO should eventually be "closed" - by setting the status to Resolved or Dismissed.

The status of an ARO is shown in the Title area (See The Anatomy of an ARO for more on the sections of an ARO).

There are 4 different statuses an ARO can be set to:

Open: the initial status of an ARO when it's sent (shown above).
Request Help: If you need help with the ARO, click Request Help to get in touch with our analysts. All comments and replies are tracked per ARO (See ARO comments and Activity Feed).
Close: When closing an ARO, it can either be resolved or dismissed. This is permanent, and a closed ARO can’t be reopened. See the impacts of resolving versus dismissing AROs below:
- Resolved: if you have addressed the root issue causing the ARO but want to receive this type of ARO again if this issue is redetected, set the ARO to resolved.
- Dismissed: You are aware of the issue, but it is not concerning, important, or relevant to your organization, you can dismiss that ARO.
  - Depending on the ARO type, you may be presented with several dismissal options when closing the ARO. See the example below in Closing an ARO for more dismissal examples.

Requesting Help

If you don’t understand the ARO, or need more information, click Request Help in the ARO’s Title section to get in touch with our analysts. The Request Help modal window will appear on your screen. Add your questions, concerns, or comments in the How can we help? field. Once complete, click Submit.

When requesting help, users watching the ARO will receive a notification, depending on their profile settings. If the message includes sensitive information, select the sensitive information checkbox. If selected, the contents of the message will not be included in any notification and the only way to view the message contents is to navigate to the ARO’s Activity feed.

After requesting help, all replies and other correspondence for the ARO is tracked in the activity feed. You can also create internal ARO notes, which are only visible to members of your organization. See ARO Comments and the Activity Feed for more.

Closing an ARO

After you've addressed the issue that caused the ARO, with or without requesting help, you can now close the ARO by either resolving the ARO or dismissing it. To close an ARO, click the Close ARO button in the Title area.

Example: Closing ARO-13

To best understand the nuances between dismissing and resolving an ARO, let's look at ARO-13 (Account Risk - VPN Authentication Detected) as an example.

This ARO is alerting on VPN usage that Field Effect MDR detected, and contains the following description:

On 06 September 2024 18:55:21 Field Effect MDR observed account Eleonore.Ruecker@balticuto.com authenticate to Microsoft 365 over a Virtual Private Network (VPN). If this activity is unexpected for Eleonore.Ruecker@balticuto.com, the account credentials may be compromised, and the account credentials should be reset.

When closing the ARO, the user is presented with a Close ARO window that offers one "resolve option" and several dismiss options. They will need to select a resolution (resolve or dismiss) choice, and (optional) provide any extra information. When ready, clicking Close ARO will confirm your choices, and can't be undone.

The following table outlines how each choice above would impact ARO-13:

Option	Closure Type	Impact
Continue to generate AROs for this activity	Resolve	If your organization wants to receive an ARO the next time Field Effect detects this behavior (VPN usage), select this option. If selected, Field Effect MDR will generate an ARO the next time Eleonore Ruecker is detected using IPVanish.
Suppress this ARO for Eleonore.Ruecker@balticuto.com authenticating with IPVanish	Dismiss	If selected, AROs will no longer be generated when Field Effects detects Eleonore Ruecker using IPVanish.
Suppress this ARO for IPVanish	Dismiss	If selected, AROs will no longer be generated when Field Effect MDR detects any use of IPVanish. If a different VPN tool is detected (NordVPN, Surfshark, etc.), Field Effect will generate an ARO.
Suppress this ARO for Eleonore.Ruecker@balticuto.com	Dismiss	If selected, no AROs for Eleonore.Ruecker@balticuto.com authenticating to a VPN tool will be generated.
Suppress all VPN Authentication Detected AROs	Dismiss	If selected, no AROs will be generated for any VPN usage that Field Effect detects.

It's important to note that dismissal options will vary for every ARO you recieve. Since you can dismiss AROs based on specific criteria, some AROs may have only one dismissal choice, while others, like ARO-13, will have several choices.

Finding Closed AROs

If you want to refer back to an ARO that has been closed, you can use the status filter to find it.