Introduction
AROs are Field Effect MDR's core reporting mechanism we use to inform you that an issue had been detected that relates to your organization's cyber security posture. They are presented in the Portal like emails; the MDR Portal's AROs page lists all of your AROs, and they all have in depth descriptions and mitigations steps to help you resolve the issue. To learn more about the concept of AROs, visit Getting to Know AROs and our knowledge base chapter on AROs.
Keeping with the email analogy, much like you would delete or archive an email when it's been addressed, AROs should be either closed, resolved, or dismissed once you address the root issue.
This article covers the following topics:
The following sections of this article walk through the workflow of an ARO; from receiving the ARO to all of the potential ways it can be addressed: Request Help, Close (Dismiss/Resolve).
Receiving an ARO
Whenever Field Effect MDR generates an ARO, it will be sent to the MDR portal in an Open status. The issues causing an ARO can vary greatly, so the time it takes to address an ARO will also very, but every ARO should eventually be "closed" - by setting the status to Resolved or Dismissed.
The status of an ARO is shown in the Title area (See the Anatomy of an ARO for more on the sections of an ARO).
There are 4 different statuses an ARO can be set to:
| Status | Status Subtype | Description |
|---|---|---|
| Open | The initial status of an ARO when it's sent (shown above). | |
| Help Requested | If you need help with the ARO, click Request Help to get in touch with our analysts. All comments and replies are tracked per ARO (See ARO comments and Activity Feed). | |
| Close | Resolve | If you have addressed the root issue causing the ARO but want to receive this type of ARO again if this issue is redetected, set the ARO to resolved. |
| Dismiss | If you are aware of the issue, but it is not concerning, important, or relevant to your organization, you can dismiss that ARO. Depending on the ARO type, you may be presented with several dismissal options when closing the ARO. See the example below in Closing an ARO for more dismissal examples. | |
Requesting Help
If you don’t understand the ARO, or need more information, click Request Help in the ARO’s Title section to get in touch with our analysts. The Request Help modal window will appear on your screen. Add your questions, concerns, or comments in the How can we help? field. Once complete, click Submit.
When requesting help, users watching the ARO will receive a notification, depending on their profile settings. If the message includes sensitive information, select the sensitive information checkbox. If selected, the contents of the message will not be included in any notification and the only way to view the message contents is to navigate to the ARO’s Activity feed.
After requesting help, all replies and other correspondence for the ARO is tracked in the activity feed. You can also create internal ARO notes, which are only visible to members of your organization. See ARO Comments and the Activity Feed for more.
Closing an ARO
After you've addressed the issue that caused the ARO, with or without requesting help, you can now close the ARO by either resolving the ARO or dismissing it. To close an ARO, click the Close ARO button in the Title area.
Example: Closing ARO-19
To best understand the nuances between dismissing and resolving an ARO, let's look at ARO-19 (Account Risk - MFA Disabled) as an example.
This ARO is alerting that user01@clientdomain has disabled MFA for their Microsoft 365 account. It contains the following description:
On 13 June 2025 at 16:05:47 UTC account user01@clientdomain.com was observed having its Multi-Factor Authentication (MFA) disabled by user01@clientdomain.com on Microsoft 365 (with Azure AD).
When closing this ARO, there is one resolve option, and several dismiss options.
The following table outlines how each choice above would impact ARO-13:
| Option | Closure Type | Impact |
|---|---|---|
| Continue to generate AROs for this activity | Resolve | If your organization wants to receive an ARO the next time Field Effect detects this behavior (Disabled MFA), select this option. If selected, Field Effect MDR will generate an ARO the next time Eleonore Ruecker is detected using IPVanish. |
Suppress this ARO when the user is user01@clientdomain.com and MFA has been disabled by user01@clientdomain.com | Dismiss | If selected, AROs will no longer be generated when Field Effects detects that MFA has been disabled for this user. |
| Suppress this ARO for IPVanish | Dismiss | If selected, AROs will no longer be generated user01 disables their MFA. If another user disables MFA for this user, an ARO will be generated. when Field Effect MDR detects any use of IPVanish. |
| Suppress all "MFA Disabled" AROs | Dismiss | If selected, no AROs will be generated for any users disabling MFA. |
It's important to note that dismissal options will vary for every ARO you receive. Since you can dismiss AROs based on specific criteria, some AROs may have only one dismissal choice, while others, like ARO-13, will have several choices.
Finding Closed AROs
If you want to refer back to an ARO that has been closed, you can use the status filter to find it.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article