Creating Asset Purge Rules

You can create an asset purge rule in CyberSecurity Asset Management (CSAM) to purge or delete the following types of assets:

  • Cloud agent-based assets
  • Cloud provider metadata-based assets
  • Scan-based assets
  • Assets identified by third-party connectors
  • Assets identified by EASM

After you create the asset purge rule, it is currently set to run at a six-hour interval. Once the rule runs, the assets that meet the purge rule criteria are deleted and not shown in your inventory.

To create a new rule, follow these steps:

  1. Go to Rules > Asset Purge Rules > Create Rule.

    Asset Purge Rules.

    The Reconciliation Rules(Beta) tab is part of a third-party asset identification feature in the Beta phase. It's in the early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.

  2. Provide the rule name and rule description, and click Next.

    Basic Information.

  3. Click the Plus Add icon. icon to select the required asset purge criteria.

    Select one of the following purge criteria:

    You can select the Time-Based criteria only with the other criteria.

    Asset Scope.

    • Add Cloud Agent-Based Criteria
    • Add Cloud Provider Metadata-Based Criteria
    • Add Scan-Based Criteria
    • Add EASM Based Criteria
    • Add Other Sources Criteria
  4. Select the required criteria from the following options based on the types of assets you want to purge, and complete the required steps.
    For more information on asset purge rule behavior, refer to Asset Purge Rules Behavior.

    Expand the following sections to learn the steps:

    Add Cloud Agent-Based CriteriaAdd Cloud Agent-Based Criteria

    1. Select the attributes and operator to identify assets you want to purge.

      You can select from the following attributes and operators:

      Attribute Operator Input Description
      agentActivationKey IN Select Cloud Agent activation key from the list Assets that are associated with the selected Cloud Agent activation keys are purged.
      NOT IN Select Cloud Agent activation key from the list. Assets that are not associated with the selected Cloud Agent activation keys are purged.
      lastActivity OLDER THAN Enter a number of days. Assets that have not shown any activity for more than the specified number of days are purged.
      IN LAST Enter a number of days. Assets that have shown activity within the specified number of days are purged.
      lastCheckedIn OLDER THAN Enter a number of days. Assets whose Cloud Agent has not checked in for more than the specified number of days are purged.
      IN LAST Enter a number of days. Assets whose Cloud Agent has checked in within the specified number of days are purged.
      activatedForModule IN Select a module from the list. Assets that are activated for the selected module(s) are purged.
      NOT IN Select a module from the list. Assets that are not activated for the selected module(s) are purged.
      agentVersion IN Select a Cloud Agent version from the list. Assets running the selected Cloud Agent version(s) are purged.
      NOT IN Select a Cloud Agent version from the list. Assets not running the selected Cloud Agent version(s) are purged.
      configurationProfile IN Select a configuration profile from the list. Assets assigned to the selected configuration profile(s) are purged.
      NOT IN Select a configuration profile from the list. Assets not assigned to the selected configuration profile(s) are purged.
      IS NULL Assets that do not have any configuration profile assigned are purged.
    2. Select the value from the third column based on the attribute and operator you selected.
    3. Click the Add Add icon. icon to add multiple attributes.
    4. Click Add Criteria to add additional criteria. You can select the Add Cloud Provider Metadata-Based or Add Time-Based Criteria.

      If you select the Remove the cloud agent and associated license checkbox, assets, a cloud agent, and its license will be removed from your subscription.

    Example:

    Asset scope selection option 1.

    See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours.

    You can select the following attribute and operators for Time-Based Criteria:

    Attribute Operator Duration Input Description
    lastVmScanDate OLDER THAN Days, Hours Enter Days or Hours Assets whose last VM scan was performed earlier than the specified number of days and hours are purged.
    IS LAST Days, Hours Enter Days or Hours Assets whose last VM scan was performed within the specified number of days and hours are purged.
    IS NULL Assets that not scanned by VM are purged.
    Updated OLDER THAN Days, Hours Enter Days or Hours Assets that were last updated earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets that were updated within the specified number of days and hours will be purged.
    created OLDER THAN Days, Hours Enter Days or Hours Assets that were created earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets that were created within the specified number of days and hours will be purged.
    lastCompliance
    ScanDate    		 OLDER THAN Days, Hours Enter Days or Hours Assets whose last compliance scan was performed earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets whose last compliance scan was performed within the specified number of days and hours will be purged.

    Add Cloud Provider Metadata-Based CriteriaAdd Cloud Provider Metadata-Based Criteria

    1. Select the cloud provider, such as AWS, AZURE, OCI, or GCP.
    2. Select the Attribute and Operator based on the cloud provider.

      Attribute Operator Input Description
      AWS
      aws.ec2.region.name IN Select region name. Assets that belong to the selected AWS region(s) will be purged.
      NOT IN Select region name. Assets that do not belong to the selected AWS region(s) will be purged.
      connectorName IN Select connector name. Assets discovered using the selected connector(s) will be purged.
      NOT IN Select connector name. Assets not discovered using the selected connector(s) will be purged.
      aws.ec2.vpcId IN Select VPC ID. Assets that belong to the selected VPC(s) will be purged.
      NOT IN Select VPC ID. Assets that do not belong to the selected VPC(s) will be purged.
      aws.ec2.subnetId IN Select subnet ID. Assets that belong to the selected subnet(s) will be purged.
      NOT IN Select subnet ID. Assets that do not belong to the selected subnet(s) will be purged.
      aws.ec2.imageId IN Select image ID. Assets that are launched using the selected image ID(s) will be purged.
      NOT IN Select image ID. Assets that are not launched using the selected image ID(s) will be purged.
      aws.ec2.accountId IN Select account ID. Assets that belong to the selected AWS account(s) will be purged.
      NOT IN Select account ID. Assets that do not belong to the selected AWS account(s) will be purged.
      aws.ec2.instanceState IN Select instance state. Assets that are in the selected instance state(s) will be purged.
      NOT IN Select instance state. Assets that are not in the selected instance state(s) will be purged.
      Azure
      azure.vm.subscriptionId IN Select subscription ID. Assets that belong to the selected Azure subscription(s) will be purged.
      NOT IN Select subscription ID. Assets that do not belong to the selected Azure subscription(s) will be purged.
      azure.vm.location IN Select location. Assets that are deployed in the selected Azure location(s) will be purged.
      NOT IN Select location. Assets that are not deployed in the selected Azure location(s) will be purged.
      azure.vm.resourceGroupName IN Select resource group name. Assets that belong to the selected resource group(s) will be purged.
      NOT IN Select resource group name. Assets that do not belong to the selected resource group(s) will be purged.
      azure.vm.state IN Select VM state. Assets that are in the selected VM state(s) will be purged.
      NOT IN Select VM state. Assets that are not in the selected VM state(s) will be purged.
      azure.vm.subnet IN Select subnet name. Assets that belong to the selected subnet(s) will be purged.
      NOT IN Select subnet name. Assets that do not belong to the selected subnet(s) will be purged.
      GCP
      gcp.compute.projectNumber IN Select project number. Assets that belong to the selected GCP project number(s) will be purged.
      NOT IN Select project number. Assets that do not belong to the selected GCP project number(s) will be purged.
      gcp.compute.projectId IN Select project ID. Assets that belong to the selected GCP project ID(s) will be purged.
      NOT IN Select project ID. Assets that do not belong to the selected GCP project ID(s) will be purged.
      gcp.compute.network IN Select network name. Assets that belong to the selected network(s) will be purged.
      NOT IN Select network name. Assets that do not belong to the selected network(s) will be purged.
      gcp.compute.zone IN Select zone. Assets that are in the selected zone(s) will be purged.
      NOT IN Select zone. Assets that are not in the selected zone(s) will be purged.
      gcp.compute.state IN Select instance state. Assets that are in the selected instance state(s) will be purged.
      NOT IN Select instance state. Assets that are not in the selected instance state(s) will be purged.
      OCI
      oci.compute.availabilityDomain IN Select availability domain. Assets that belong to the selected availability domain(s) will be purged.
      NOT IN Select availability domain. Assets that do not belong to the selected availability domain(s) will be purged.
      oci.compute.canonicalRegionName IN Select canonical region name. Assets that belong to the selected canonical region(s) will be purged.
      NOT IN Select canonical region name. Assets that do not belong to the selected canonical region(s) will be purged.
      oci.compute.compartmentId IN Select compartment ID. Assets that belong to the selected compartment(s) will be purged.
      NOT IN Select compartment ID. Assets that do not belong to the selected compartment(s) will be purged.
      oci.compute.ociId IN Select OCI instance ID. Assets with the selected OCI instance ID(s) will be purged.
      NOT IN Select OCI instance ID. Assets that do not have the selected OCI instance ID(s) will be purged.
      oci.compute.state IN Select instance state. Assets that are in the selected instance state(s) will be purged.
      NOT IN Select instance state. Assets that are not in the selected instance state(s) will be purged.
      oci.compute.region IN Select region. Assets that belong to the selected region(s) will be purged.
      NOT IN Select region. Assets that do not belong to the selected region(s) will be purged.
      oci.compute.tenantName IN Select tenant name. Assets that belong to the selected tenant(s) will be purged.
      NOT IN Select tenant name. Assets that do not belong to the selected tenant(s) will be purged.
      oci.compute.imageId IN Select image ID. Assets that are launched using the selected image ID(s) will be purged.
      NOT IN Select image ID. Assets that are not launched using the selected image ID(s) will be purged.
      oci.tags.key IN Select tag key. Assets that have the selected tag key(s) will be purged.
      NOT IN Select tag key. Assets that do not have the selected tag key(s) will be purged.
      oci.tags.value IN Select tag value. Assets that have the selected tag value(s) will be purged.
      NOT IN Select tag value. Assets that do not have the selected tag value(s) will be purged.

    3. Select the value from the third column based on the attribute and operator you selected.
    4. Click the Add icon to add multiple attributes.

      If you select the Remove the cloud agent and associated license checkbox, Assets, a cloud agent, and its license will be removed from your subscription.

    5. Click Add Filter to add a filter. You can only add filters from the Add Cloud Agent-Based Criteria or Add Time-Based Criteria.

    Example:

    Asset scope selection option 2.

    See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours.

    You can select the following attribute and operators for Time-Based Criteria:

    Attribute Operator Duration Input Description
    lastVmScanDate OLDER THAN Days, Hours Enter Days or Hours Assets whose last VM scan was performed earlier than the specified number of days and hours are purged.
    IS LAST Days, Hours Enter Days or Hours Assets whose last VM scan was performed within the specified number of days and hours are purged.
    IS NULL Assets that not scanned by VM are purged.
    Updated OLDER THAN Days, Hours Enter Days or Hours Assets that were last updated earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets that were updated within the specified number of days and hours will be purged.
    created OLDER THAN Days, Hours Enter Days or Hours Assets that were created earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets that were created within the specified number of days and hours will be purged.
    lastCompliance
    ScanDate    		 OLDER THAN Days, Hours Enter Days or Hours Assets whose last compliance scan was performed earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets whose last compliance scan was performed within the specified number of days and hours will be purged.

    Add Scan-Based CriteriaAdd Scan-Based Criteria

    1. Select this criteria to retain any or all tracking methods in IP, DNSNAME, or NETBIOS as required.
    2. Click Add Filter to add additional filters.

      You can add filters only from the Add Time-Based Criteria.

    Example:

    See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours.

    Time Based Purge Criteria.

    You can select the following attribute and operators for Time-Based Criteria:

    Attribute Operator Duration Input Description
    lastVmScanDate OLDER THAN Days, Hours Enter Days or Hours Assets whose last VM scan was performed earlier than the specified number of days and hours are purged.
    IS LAST Days, Hours Enter Days or Hours Assets whose last VM scan was performed within the specified number of days and hours are purged.
    IS NULL Assets that are not scanned by VM are purged.
    Updated OLDER THAN Days, Hours Enter Days or Hours Assets that were last updated earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets that were updated within the specified number of days and hours will be purged.
    created OLDER THAN Days, Hours Enter Days or Hours Assets that were created earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets that were created within the specified number of days and hours will be purged.
    lastCompliance
    ScanDate    		 OLDER THAN Days, Hours Enter Days or Hours Assets whose last compliance scan was performed earlier than the specified number of days and hours will be purged.
    IS LAST Days, Hours Enter Days or Hours Assets whose last compliance scan was performed within the specified number of days and hours will be purged.

    Add EASM Based CriteriaAdd EASM Based Criteria

    1. Select the attribute, operator, and Input to identify assets you want to purge.

      Attribute Operator Input Description
      Profile Name IN Select profile name. Assets that belong to the selected EASM profile(s) are purged.
      Domain/Subdomain IN Enter domain or subdomain name. Assets associated with the specified domain or subdomain name(s) are purged.
      Organization IN Select organization name. Assets that belong to the selected organization(s) are purged.
      IP/Netblock IN Enter IP address or netblock. Assets associated with the specified IP address(es) or netblock(s) are purged.
      First EASM Scan Date
      		 OLDER THAN Enter value in days. Assets whose first EASM scan was performed earlier than the specified number of days are purged.
      IN LAST Enter value in days. Assets whose first EASM scan was performed within the specified number of days are purged.
      Last EASM Scan Date
      		 OLDER THAN Enter value in days. Assets whose last EASM scan was performed earlier than the specified number of days are purged.
      IN LAST Enter value in days. Assets whose last EASM scan was performed within the specified number of days are purged.

    2. Click the Add icon to add multiple attributes.

      You cannot add other purge criteria with the Add EASM Based criteria.

    Example:

    Asset Purge - EASM Based Criteria Example.

    Add Other Sources CriteriaAdd Other Sources Criteria

    Important to Know Before You Begin!

    Consider the following purge scenarios for third-party assets discovered by Webhook, ServiceNow, and Active Directory connectors:

    • If the asset type is a managed asset discovered by any third-party connector sources mentioned earlier, then only the third-party connector data is deleted; the asset is not purged.
    • If the asset is solely a third-party connector asset, which is an unmanaged asset, it gets purged if it satisfies the third-party connector purge rule. However, if multiple connector sources discover the same asset, only the respective connector data for which the purge rule is created gets purged. The asset gets deleted only when all connector data for all the different connector sources gets deleted.
    1. Select the required source, such as a Third-Party Connector source, and then select the required connector source. Active Directory, Service Now, and WebHook are available connector sources.

      Besides the Third-Party Connector source, Cloud Agent as Passive Sensor and Passive Sensor sources are also available.

    2. Select the attributes and operator based on the selected source.

      Attribute Operator Input Description
      Passive Sensor
      passiveSensor.id IN Select sensor ID. Assets discovered by the selected passive sensor(s) will be purged.
      passiveSensor.lastUpdatedDate OLDER THAN Enter value in days. Assets whose passive sensor data was last updated earlier than the specified number of days will be purged.
      passiveSensor.lastUpdatedDate IN LAST Enter value in days. Assets whose passive sensor data was updated within the specified number of days will be purged.
      operatingSystem.category1 IN Select OS category1. 1. Assets with the selected operating system category (level 1) will be purged.
      operatingSystem.category2 IN Select OS category2. Assets with the selected operating system category (level 2) will be purged.
      hardware.category1 IN Select hardware category1. Assets with the selected hardware category (level 1) will be purged.
      hardware.category2 IN Select hardware category2. Assets with the selected hardware category (level 2) will be purged.
      Cloud Agent as Passive Sensor
      passiveSensor.lastUpdatedDate OLDER THAN Enter value in days. Assets whose passive sensor data (via Cloud Agent) was last updated earlier than the specified number of days will be purged.
      passiveSensor.lastUpdatedDate IN LAST Enter value in days. Assets whose passive sensor data (via Cloud Agent) was updated within the specified number of days will be purged.
      operatingSystem.category1 IN Select OS category1. Assets with the selected operating system category (level 1) will be purged.
      operatingSystem.category2 IN Select OS category2 Assets with the selected operating system category (level 2) will be purged.
      hardware.category1 IN Select hardware category1 Assets with the selected hardware category (level 1) will be purged.
      hardware.category2 IN Select hardware category2 Assets with the selected hardware category (level 2) will be purged.
      Assets reported by an agent IN Select value from the list. Assets reported by a Cloud Agent based on the selected option will be purged.
      Assets whose latest CAPS leader is deleted - - Assets whose latest CAPS leader is deleted will be purged.
      Third-Party Connector
      Select a third-party connector source from the Select the source list.
      Connector Name

      The name of the third-party connector that discovered or imported the asset into the inventory.

      		 IN Select connector name. Assets discovered or imported by the selected connector(s) will be purged.
      Connector ID

      This is the unique identifier assigned to a third-party connector.

      		 IN Select connector ID. Assets discovered or imported using the selected connector ID(s) will be purged.
      Last Seen

      This is the date when the asset was last updated in the CSAM inventory.

      		 OLDER THAN Enter value in days. Assets that were last seen earlier than the specified number of days in CSAM will be purged.
      IN LAST Enter value in days. Assets that were seen within the specified number of days in CSAM will be purged.
      First Seen

      This is the date when the asset was first created in the CSAM inventory.

      		 OLDER THAN Enter value in days. Assets that were first created earlier than the specified number of days in CSAM will be purged.
      IN LAST Enter value in days. Assets that were created within the specified number of days in CSAM will be purged.
      Source Last Seen

      This is the date when the asset was last updated by the third-party source. This value is provided by the third-party source rather than the date when the record was created in the CSAM inventory.

      		 OLDER THAN Enter value in days. Assets whose source last seen date is earlier than the specified number of days will be purged.
      IN LAST Enter value in days. Assets whose source last seen date is within the specified number of days will be purged.

    3. Attribute Description Operator
      Connector Name The name of the third-party connector that discovered or imported the asset into the inventory. IN
      Connector ID The unique identifier assigned to a third-party connector. IN
      Last Seen The date when the asset was last updated in the CSAM inventory. OLDER THAN, IN LAST
      First Seen The date when the asset was first created in the CSAM inventory. OLDER THAN, IN LAST
      Source Last Seen The Source Last Seen is the date when the asset was last updated by the third-party source. This value is provided by the third-party source rather than the date when the record was created in the CSAM inventory. OLDER THAN, IN LAST
    4. Select or enter the value in the third column based on the attribute and operator you selected.
      • Select the value from the third column for the Connector Name and Connector ID attributes.
      • Enter the value for First Seen and Last Seen attributes.

      You cannot add other purge criteria with the Add Other Sources criteria.

  5. Click Next.
  6. On the Settings page, enter the following details and click Next.

    By default, Re-provision the agent is selected, and as a result, the agent creates a new asset. If you select Uninstall the agent, the agent is uninstalled from the host. 

    Purge Limit.

    1. Set asset purge limit in the Asset Limit field. It’s important to know that if you select more assets than the set limit, your assets won't be purged.
    2. Select whether you want to Re-provision the agent or Uninstall the agent.
  7. Review and confirm your selections.

    Summary.

  8. Click Finish to save the purge rule.

    A confirmation message is shown.

  9. Select the Save my purge rule checkbox, and click Confirm.

Asset Purge Rules Behavior

You can configure purge rules to automatically delete assets based on a duration you specify, either in days or hours.

Purge Rules with Duration in Days

When you set the purge condition in days, the system evaluates the asset’s age using complete days only. This means that, if you configure the rule to purge assets older than n days, the system removes assets that are older than n+1 days.

Example:

  • Rule created on: 31 July 2025
  • Criteria:
    • Attribute: lastCheckedIn
    • Operator: Older Than
    • Days: 5

In this example, all assets older than 6 full days will be purged (older than 26 July 2025). For instance, an asset that is 5 days and 3 hours old will not be deleted until it exceeds 6 days from the day the rule was created.

Purge Rules with Duration in Hours

When you set the purge condition in hours, the system uses the exact time, down to the hour, minute, and second. This means that, if you configure the rule to purge assets Older than n hours, the system deletes assets as soon as they exceed that precise duration from the time the rule was created or last updated.

Example:

  • Rule created on: 31 July 2025 at 12:00 PM
  • Criteria:
    • Attribute: created or updated
    • Operator: Older Than
    • Duration: 24 hours

In this example, all assets older than 24 hours from 12:00 PM on 31 July will be deleted (older than 30 July 12:00 PM).

Available Purge Criteria and Interval Duration

The table below lists the attributes that use the interval: Days.

Criteria Attribute Interval Type
Cloud Agent-Based lastCheckedIn Days
lastActivity Days
EASM-Based First EASM Scan Date Days
Last EASM Scan Date Days
Time-Based lastVMScanDate Days
lastComplianceScanDate Days
Updated Days
Created Days

The table below lists the attributes that use the interval: Hours.

Criteria Attribute Interval Type
Time-Based lastVMScanDate Hours
lastComplianceScanDate Hours
created Hours
updated Hours

Good to Know!

You can edit, delete, enable, or disable the purge rule from the Quick Actions menu. You can also download the purge rule execution report.

Options

Related Link

Third-Party Asset Import in CSAM

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: May, 2026