You can create an asset purge rule in CyberSecurity Asset Management (CSAM) to purge or delete the following types of assets:
- Cloud agent-based assets
- Cloud provider metadata-based assets
- Scan-based assets
- Assets identified by third-party connectors
After you create the asset purge rule, it is currently set to run at a six-hour interval. Once the rule runs, the assets that meet the purge rule criteria are deleted and not shown in your inventory.
Complete the following steps to create a new rule:
1. Go to Rules > Asset Purge Rules > Create Rule.
Note: The Reconciliation Rules(Beta) tab is part of a third-party asset identification feature in the Beta phase. It's in the early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.
2. Provide the rule name and rule description, and click Next.
3. Click the Plus icon to select the required asset purge criteria. Select one of the following purge criteria.
- Add Cloud Agent-Based Criteria
- Add Cloud Provider Metadata-Based Criteria
- Add Scan-Based Criteria
- Add Other Sources Criteria
Note: You can select the Time-Based criteria only with the other criteria.
4. Select the required option from the following options based on the types of assets you want to purge and complete the necessary steps:
Add Cloud Agent-Based CriteriaAdd Cloud Agent-Based Criteria
i. Select the attributes and operator to identify assets you want to purge.
The available attribute values are lastActivity, lastCheckedIn, activatedForModule, agentActivationKey, agentVersion, and configurationProfile.
The available operators are OLDER THAN and IN LAST.
ii. Select the value from the third column based on the attribute and operator you selected.
iii. Click the Add icon to add multiple attributes.
iv. Click Add Filter to add a filter. You can add filters only from the Add Cloud Provider Metadata-Based or Add Time-Based Criteria.
Note: If you select the Remove the cloud agent and associated license checkbox, assets, a cloud agent, and its license will be removed from your subscription.
Example:
See the example of the Time-Based criteria. You can choose to enter the time in Days and Hours too.
Add Cloud Provider Metadata-Based CriteriaAdd Cloud Provider Metadata-Based Criteria
i. Select the cloud provider, such as AWS, AZURE, or GCP.
ii. Select the attribute and operator.
iii. Select the value from the third column based on the attribute and operator you selected.
iv. Click the Add icon to add multiple attributes.
Note: If you select the Remove the cloud agent and associated license checkbox, Assets, a cloud agent, and its license will be removed from your subscription.
v. Click Add Filter to add a filter. You can only add filters from the Add Cloud Agent-Based Criteria or Add Time-Based Criteria.
Example:
See the example of the Time-Based criteria. You can choose to enter the time in Days and Hours too.
Add Scan-Based CriteriaAdd Scan-Based Criteria
i. Choose to retain any or all tracking methods in IP, DNSNAME, or NETBIOS as required.
ii. Click Add Filter to add additional filters. You can add filters only from the Add Time-Based Criteria.
iii. Select the attributes and operator.
The available attribute values are lasVmScanDate, updated, and lastCompiledScanDate.
The available operators are OLDER THAN and IN LAST.
iv. Select the value from the third column based on the attribute and operator you selected.
v. Click the Add icon to add multiple attributes.
Example:
See the example of the Time-Based criteria. You can choose to enter the time in Days and Hours too.
Add Other Sources CriteriaAdd Other Sources Criteria
Important to Know Before You Begin!
Consider the following purge scenarios for third-party assets discovered by Webhook, ServiceNow, and Active Directory connectors:
- If the asset type is a managed asset discovered by any third-party connector sources mentioned earlier, then only the third-party connector data is deleted; the asset is not purged.
- If the asset is solely a third-party connector asset, which is an unmanaged asset, it gets purged if it satisfies the third-party connector purge rule. However, if multiple connector sources discover the same asset, only the respective connector data for which the purge rule is created gets purged. The asset gets deleted only when all connector data for all the different connector sources gets deleted.
i. Select the required source, such as a Third-Party Connector source, and then select the required connector source. Active Directory, Service Now, and WebHook are available connector sources.
Note: Besides the Third-Party Connector source, Cloud Agent as Passive Sensor and Passive Sensor sources are also available.
ii. Select the attributes and operator.
The available attribute values are Connector Name, Connector ID, Last Seen, and First Seen.
The available operators for First Seen and Last Seen are OLDER THAN and IN LAST, and for Connector Name and Connector ID is IN.
iii. Select or enter the value in the third column based on the attribute and operator you selected.
- Select the value from the third column for the Connector Name and Connector ID attributes.
- Enter the value for First Seen and Last Seen attributes.
Note: You cannot add other purge criteria with the Add Other Sources criteria.
5. Click Next.
6. On the Settings page, enter the following details and click Next.
i. Set asset purge limit in the Asset Limit field. It’s important to know that if you select more assets than the set limit, your assets won't be purged.
ii. Select whether you want to Re-provision the agent or Uninstall the agent.
Note: By default, Re-provision the agent is selected, and as a result, the agent creates a new asset. If you select Uninstall the agent, the agent is uninstalled from the host.
7. Review and confirm your selections.
8. Click Finish to save the purge rule. A confirmation message is shown.
9. Select the Save my purge rule checkbox, and click Confirm.
You can edit, delete, enable, or disable the purge rule from the Quick Actions menu. You can also download the purge rule execution report.