Changing authorization status of devices

You can change an authorization status of a device when the analysis of an alert or incident shows that the protection level of the device is low or the device does harm to your infrastructure.

This response action is performed on devices with KICS for Networks installed.

You can change an authorization status of a device in one of the following ways:

• From the alert or incident details
• From the device details
• From a telemetry event
• From an investigation graph

You can also configure the response action to run automatically when creating or editing a playbook.

To change an authorization status of a device, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

Changing authorization status of devices from alert or incident details

To change an authorization status of a device from the alert or incident details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device which authorization status is to be changed.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the lD of the incident that includes the device which authorization status is to be changed.
2. In the window that opens, go to the Assets tab.
3. Select check box next to the device which authorization status is to be changed.

   You can select several devices, if necessary.

4. In the Select response actions drop-down list, select Change authorization status.
5. In the window that opens on the right side of the screen, select the new status of the device (authorized or unauthorized), and then click the Change button.

   If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Changing authorization status of devices from the device details

To change an authorization status of a device from the device details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device which authorization status is to be changed.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device which authorization status is to be changed.
2. In the window that opens, go to the Assets tab.
3. Click the name of the required device, and then in the drop-down list, select View properties.
4. In the Select response actions drop-down list, select Change authorization status.
5. In the window that opens on the right side of the screen, select the new status of the device (authorized or unauthorized), and then click the Change button.

   If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Changing authorization status of devices from a telemetry event

To change an authorization status of a device from a telemetry event:

1. In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device which authorization status is to be changed.
2. In the window that opens, go to the Details tab, and do one of the following:
   • Click the name of the required event and select the device.
   • Click the Find in Threat hunting button to go to the Threat hunting section and select the required device.
3. In the Select response actions drop-down list, select Change authorization status.
4. In the window that opens on the right side of the screen, select the new status of the device (authorized or unauthorized), and then click the Change button.

   If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Changing authorization status of devices from an investigation graph

This option is available if the investigation graph is built.

To change an authorization status of a device from an investigation graph:

1. In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device which authorization status is to be changed.
2. In the window that opens, click the View on graph button.

   The investigation graph opens.

3. Click the device name to open the device details.
4. In the Select response actions drop-down list, select Change authorization status.
5. In the window that opens on the right side of the screen, select the new status of the device (authorized or unauthorized), and then click the Change button.

   If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

The selected authorization status of the device in displayed in the alert or incident card, on the Assets tab → Authorization status column.