Creating Asset Purge Rules

You can create an asset purge rule in CyberSecurity Asset Management (CSAM) to purge or delete the following types of assets:

-  Cloud agent-based assets

-  Cloud provider metadata-based assets

-  Scan-based assets

-  Assets identified by third-party connectors

-  Assets identified by EASM

After you create the asset purge rule, it is currently set to run at a six-hour interval. Once the rule runs, the assets that meet the purge rule criteria are deleted and not shown in your inventory.

Complete the following steps to create a new rule:

1.  Go to Rules > Asset Purge Rules > Create Rule.

Asset Purge Rules.

Note: The Reconciliation Rules(Beta) tab is part of a third-party asset identification feature in the Beta phase. It's in the early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.

2.  Provide the rule name and rule description, and click Next.

Basic Information.

3.  Click the Plus Add icon.  icon to select the required asset purge criteria. Select one of the following purge criteria. 

-  Add Cloud Agent-Based Criteria
-  Add Cloud Provider Metadata-Based Criteria
-  Add Scan-Based Criteria
-  Add EASM Based Criteria
-  Add Other Sources Criteria

Note: You can select the Time-Based criteria only with the other criteria.

Asset Scope.

4.  Select the required option from the following options based on the types of assets you want to purge and complete the necessary steps. Expand the following sections to learn the steps.


Add Cloud Agent-Based CriteriaAdd Cloud Agent-Based Criteria

i.  Select the attributes and operator to identify assets you want to purge.

The available attribute values are lastActivity, lastCheckedIn, activatedForModule, agentActivationKey, agentVersion, and configurationProfile.

The available operators are OLDER THAN and IN LAST.

ii.  Select the value from the third column based on the attribute and operator you selected.

iii.  Click the Add Add icon. icon to add multiple attributes. 

iv.  Click Add Filter to add a filter. You can add filters only from the Add Cloud Provider Metadata-Based or Add Time-Based Criteria.

Note: If you select the Remove the cloud agent and associated license checkbox, assets, a cloud agent, and its license will be removed from your subscription.

Example:

Asset scope selection option 1.

See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours. You can select the IS NULL operator for the lastVMScanDate attribute to purge assets that are not scanned by VM.

 


Add Cloud Provider Metadata-Based CriteriaAdd Cloud Provider Metadata-Based Criteria

i.  Select the cloud provider, such as AWS, AZURE, or GCP.

ii.  Select the attribute and operator.

iii.  Select the value from the third column based on the attribute and operator you selected.

iv.  Click the Add Add icon. icon to add multiple attributes. 

Note: If you select the Remove the cloud agent and associated license checkbox, Assets, a cloud agent, and its license will be removed from your subscription.

v.  Click Add Filter to add a filter. You can only add filters from the Add Cloud Agent-Based Criteria or Add Time-Based Criteria.

Example:

Asset scope selection option 2.

See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours. You can select the IS NULL operator for the lastVMScanDate attribute to purge assets that are not scanned by VM.


Add Scan-Based Criteria Add Scan-Based Criteria

i.  Choose to retain any or all tracking methods in IP, DNSNAME, or NETBIOS as required.

ii.  Click Add Filter to add additional filters. You can add filters only from the Add Time-Based Criteria.

iii.  Select the attributes and operator.

The available attribute values are lasVmScanDate, updated, and lastCompiledScanDate.

The available operators are OLDER THAN and IN LAST.

iv.  Select the value from the third column based on the attribute and operator you selected.

v.  Click the Add add icon.  icon to add multiple attributes. 

Example:

Asset scope selection option 3.

See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours. You an select the IS NULL operator for the lastVMScanDate attribute to purge assets that are not scanned by VM.

Time Based Purge Criteria.


Add EASM Based CriteriaAdd EASM Based Criteria

i.  Select the attribute, operator, and Input to identify assets you want to purge. 

Note: You can select the value from the Input column based on the attribute and operator you selected.

The available attribute values are Profile Name, Domain/Subdomain, IP/Netblock, First EASM Scan Date, and Last EASM Scan Date.

The available operators are IN, OLDER THAN, and IN LAST.

ii.  Click the Add Add icon. icon to add multiple attributes. 

Important: You cannot add other purge criteria with the Add EASM Based criteria.

Example:

Asset Purge - EASM Based Criteria Example.


Add Other Sources CriteriaAdd Other Sources Criteria

Important to Know Before You Begin!

Consider the following purge scenarios for third-party assets discovered by Webhook, ServiceNow, and Active Directory connectors: 

- If the asset type is a managed asset discovered by any third-party connector sources mentioned earlier, then only the third-party connector data is deleted; the asset is not purged.

- If the asset is solely a third-party connector asset, which is an unmanaged asset, it gets purged if it satisfies the third-party connector purge rule. However, if multiple connector sources discover the same asset, only the respective connector data for which the purge rule is created gets purged. The asset gets deleted only when all connector data for all the different connector sources gets deleted. 
 

i.  Select the required source, such as a Third-Party Connector source, and then select the required connector source. Active Directory, Service Now, and WebHook are available connector sources.

Note: Besides the Third-Party Connector source, Cloud Agent as Passive Sensor and Passive Sensor sources are also available.

ii.  Select the attributes and operator.

The available attribute values are Connector Name, Connector ID, Last Seen, and First Seen.
The available operators for First Seen and Last Seen are OLDER THAN and IN LAST, and for Connector Name and Connector ID is IN.

iii. Select or enter the value in the third column based on the attribute and operator you selected.

    -  Select the value from the third column for the Connector Name and Connector ID attributes.

    -  Enter the value for First Seen and Last Seen attributes.


Note: You cannot add other purge criteria with the Add Other Sources criteria.

5. Click Next.

6.  On the Settings page, enter the following details and click Next.

i.  Set asset purge limit in the Asset Limit field. It’s important to know that if you select more assets than the set limit, your assets won't be purged.

ii.  Select whether you want to Re-provision the agent or Uninstall the agent.

Note: By default, Re-provision the agent is selected, and as a result, the agent creates a new asset. If you select Uninstall the agent, the agent is uninstalled from the host. 

Purge Limit.

7. Review and confirm your selections.

Summary.

8.  Click Finish to save the purge rule. A confirmation message is shown.

9. Select the Save my purge rule checkbox, and click Confirm.

Confirmation message.

Good to Know!

You can edit, delete, enable, or disable the purge rule from the Quick Actions menu. You can also download the purge rule execution report.

Options

Related Link

Third-Party Asset Import in CSAM

© July 2025 Qualys, Inc. All rights reserved. Privacy Policy.