Docs

third_party_vpn_usage

Suggest Edits

Explanation

This NDM detects the usage of third-party (free or paid) VPNs.

What to Look For

To examine the results of this event, network administrators should monitor their network traffic for any connections or activities related to third-party VPN services. They should also check their endpoint devices for the presence of any VPN applications not managed by the organization.

This event is important because it can indicate attempts by users to circumvent network security policies, access restricted content, or hide their online activities. Remediation actions may include blocking access to known VPN service providers, educating users on the consequences of using unapproved VPNs, or implementing stricter access controls to prevent unauthorized VPN usage.

Related MITRE ATT&CK Categories

Command and Control: Protocol Tunneling, Technique T1572 - Enterprise

Updated 8 days ago