To reduce false positives from MDCA built-in threat detections:
First, ensure you have entered your organization's IP address ranges to tell MDCA more about your VPN and corporate IP ranges. Note that if your corporate egress IPs are also used for egress of VPN clients, then that IP address/range should be categorized as VPN. More info: Set IP ranges and tags | Microsoft Docs