Changing authorization status of devices

You can change an authorization status of a device when the analysis of an alert or incident shows that the protection level of the device is low or the device does harm to your infrastructure.

This response action is performed on devices with KICS for Networks installed.

You can change an authorization status of a device in one of the following ways:

• From the alert or incident details.
• From the device details.
• From a telemetry event.
• From an investigation graph.

  This option is available if the investigation graph is built.

You can also configure the response action to run automatically when creating or editing a playbook.

To change an authorization status of a device, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

To change an authorization status of a device:

1. In the main menu, go to the Monitoring & reporting section, and then select the Alerts or Incidents section.

   If you want to respond from an investigation graph, select the Incidents section.

   If you want to respond from a telemetry event, select the Alerts section.

2. Click the ID of the required alert or incident.
3. In the window that opens, do one of the following:
   • If you want to respond through the alert or incident details, go to the Assets tab, and then select check box next to the device which authorization status is to be changed.

     You can select several devices, if necessary.

   • If you want to respond through the device details, go to the Assets tab, click the name of the required device, and then in the drop-down list, select View properties.
   • If you want to respond through a telemetry event, go to the Details tab, and then either click the name of the required event and select the device or click the Find in Threat hunting button to go to the Threat Hunting section and select the required device.
   • If you want to respond through an investigation graph, click the View on graph button. In the investigation graph that opens, click the device name to open the device details.
4. In the Select response actions drop-down list, select Change authorization status.
5. In the window that opens on the right side of the screen, select the new status of the device (authorized or unauthorized), and then click the Change button.

   If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

The selected authorization status of the device in displayed in the alert or incident card, on the Assets tab → Authorization status column.

Page top