Red Canary VPN detection

Update timeline

1. resolved Apr 22, 2026, 03:34 PM UTC

   Summary A Red Canary alert ([THREAT-164]) flagged anomalous identity behavior for [email protected] — a successful Entra authentication from suspicious VPN infrastructure on 2026-04-21 at 22:59 UTC. What We Found The authentication was legitimate. Lisa confirmed she is based in Mexico City and her husband recently enabled a VPN on their home network for his personal reasons/requirements. All devices on the network — including her TRM machine — are routing through the VPN, causing her Entra sign-ins to appear from CA/NV USA instead of Mexico City where they are currently. - VPN provider: Private Internet Access (PIA) - Router: GL iNet (VPN configured at the router level) GCP audit logs showed no suspicious production activity from this user during the 72-hour lookback window. AUP Concern TRM's AUP prohibits VPNs on TRM-managed machines without an approved exception. The current configuration likely constitutes a violation, and all home network traffic may be passing through a third-party VPN. This raises data exposure concerns. Next Steps - Lisa created a separate SSID (or equivalent network segmentation) to exclude TRM devices from VPN routing - this is still being confirmed. Status: Closed — This AUP violation shouldn't constitute an incident, is being addressed with Lisa so her TRM traffic won't go through the 3rd party VPN going forward (although it's still tunneled by ZScaler)