# third\_party\_vpn\_usage

**Explanation**

This NDM detects the usage of third-party (free or paid) VPNs.

**What to Look For**

To examine the results of this event, network administrators should monitor their network traffic for any connections or activities related to third-party VPN services. They should also check their endpoint devices for the presence of any VPN applications not managed by the organization.

This event is important because it can indicate attempts by users to circumvent network security policies, access restricted content, or hide their online activities. Remediation actions may include blocking access to known VPN service providers, educating users on the consequences of using unapproved VPNs, or implementing stricter access controls to prevent unauthorized VPN usage.

**Related MITRE ATT\&CK Categories**

[Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/operational-governance/third_party_vpn_usage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.