You’ve got it. I have an NDR I mirror packets to and it picked up the connection. I think the guy hit a Tor IP before connecting with NordVPN, but I do remember seeing the connection to Tor that sparked the alert, followed by the traffic to Nord. Either one of those things would have triggered an investigation into the user.
Forwarded that to my security team and washed my hands of it. Wish I knew why users pull stuff like that on company resources. If they just did it at home, I wouldn’t care!