Due to the high false positive rate with VPN use (a lot of users use commodity VPNs on a regular basis), this ARO is released as an 'Observation' where you are then asked to confirm if the identified user is indeed expected to be using this service.
If the user does use a commodity VPN, and the use is accepted as a policy with your organization, you should 'dismiss' these AROs and Field Effect will suppress future reporting of this activity for this user.
If the behavior is unexpected, you should 'resolve' the ARO after applying the mitigation measures highlighted in the ARO. Field Effect will then only issue future AROs if the same activity is detected again.
VPN use on it's own is not necessarily an indication of a compromise, which is why the ARO was issued with a lower severity. However, when paired with other indicators of suspicious activity, the likelihood of a compromise increases resulting in a higher priority 'Action' ARO being issued.
Lastly, Field Effect does have the ability to isolate hosts and lockout cloud accounts in the event of a breach, however if this setting is disabled, Field Effect will not take action.
If you'd like to learn more about, you can read more in our guides:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article