Creating Asset Purge Rules

You can create an asset purge rule in CyberSecurity Asset Management (CSAM) to purge or delete the following types of assets:

  • Cloud agent-based assets
  • Cloud provider metadata-based assets
  • Scan-based assets
  • Assets identified by third-party connectors
  • Assets identified by EASM

After you create the asset purge rule, it is currently set to run at a six-hour interval. Once the rule runs, the assets that meet the purge rule criteria are deleted and not shown in your inventory.

To create a new rule, follow these steps:

  1. Go to Rules > Asset Purge Rules > Create Rule.

    Asset Purge Rules.

    The Reconciliation Rules(Beta) tab is part of a third-party asset identification feature in the Beta phase. It's in the early stage and only available on a request basis. Contact your Technical Account Manager (TAM) for more information.

  2. Provide the rule name and rule description, and click Next.

    Basic Information.

  3. Click the Plus Add icon. icon to select the required asset purge criteria.

    Select one of the following purge criteria:

    • Add Cloud Agent-Based Criteria
    • Add Cloud Provider Metadata-Based Criteria
    • Add Scan-Based Criteria
    • Add EASM Based Criteria
    • Add Other Sources Criteria

    You can select the Time-Based criteria only with the other criteria.

    Asset Scope.

  4. Select the required criteria from the following options based on the types of assets you want to purge, and complete the required steps.
    For more information on asset purge rule behavior, refer to Asset Purge Rules Behavior.

    Expand the following sections to learn the steps:

    Add Cloud Agent-Based CriteriaAdd Cloud Agent-Based Criteria

    i.  Select the attributes and operator to identify assets you want to purge.

    The available attribute values are lastActivity, lastCheckedIn, activatedForModule, agentActivationKey, agentVersion, and configurationProfile.

    The available operators are OLDER THAN and IN LAST.

    ii.  Select the value from the third column based on the attribute and operator you selected.

    iii.  Click the Add Add icon. icon to add multiple attributes. 

    iv.  Click Add Filter to add a filter. You can add filters only from the Add Cloud Provider Metadata-Based or Add Time-Based Criteria.

    If you select the Remove the cloud agent and associated license checkbox, assets, a cloud agent, and its license will be removed from your subscription.

    Example:

    Asset scope selection option 1.

    See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours. You can select the IS NULL operator for the lastVMScanDate attribute to purge assets that are not scanned by VM.

    Add Cloud Provider Metadata-Based CriteriaAdd Cloud Provider Metadata-Based Criteria

    1. Select the cloud provider, such as AWS, AZURE, or GCP.
    2. Select the Attribute and Operator.
    3. Select the value from the third column based on the attribute and operator you selected.
    4. Click the Add icon to add multiple attributes.

      If you select the Remove the cloud agent and associated license checkbox, Assets, a cloud agent, and its license will be removed from your subscription.

    5. Click Add Filter to add a filter. You can only add filters from the Add Cloud Agent-Based Criteria or Add Time-Based Criteria.

    Example:

    Asset scope selection option 2.

    See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours. You can select the IS NULL operator for the lastVMScanDate attribute to purge assets that are not scanned by VM.

    Add Scan-Based CriteriaAdd Scan-Based Criteria

    1. Select this criteria to retain any or all tracking methods in IP, DNSNAME, or NETBIOS as required.
    2. Click Add Filter to add additional filters.

      You can add filters only from the Add Time-Based Criteria.

    3. Select the attributes and operator:
      • Available attribute values: lasVmScanDate, updated, and lastCompiledScanDate.
      • Available operators: OLDER THAN and IN LAST.
    4. Select the value from the third column based on the attribute and operator you selected.
    5. Click the Add icon to add multiple attributes.

    Example:

    Asset scope selection option 3.

    See the example of the Time-Based criteria. You can choose to enter the time in Days or Hours. You an select the IS NULL operator for the lastVMScanDate attribute to purge assets that are not scanned by VM.

    Time Based Purge Criteria.

    Add EASM Based CriteriaAdd EASM Based Criteria

    1. Select the attribute, operator, and Input to identify assets you want to purge.
      • Available attribute values: Profile Name, Domain/Subdomain, IP/Netblock, First EASM Scan Date, and Last EASM Scan Date.
      • Available operators: IN, OLDER THAN, and IN LAST.
    2. Click the Add icon to add multiple attributes.

      You cannot add other purge criteria with the Add EASM Based criteria.

    Example:

    Asset Purge - EASM Based Criteria Example.

    Add Other Sources CriteriaAdd Other Sources Criteria

    Important to Know Before You Begin!

    Consider the following purge scenarios for third-party assets discovered by Webhook, ServiceNow, and Active Directory connectors:

    • If the asset type is a managed asset discovered by any third-party connector sources mentioned earlier, then only the third-party connector data is deleted; the asset is not purged.
    • If the asset is solely a third-party connector asset, which is an unmanaged asset, it gets purged if it satisfies the third-party connector purge rule. However, if multiple connector sources discover the same asset, only the respective connector data for which the purge rule is created gets purged. The asset gets deleted only when all connector data for all the different connector sources gets deleted.
    1. Select the required source, such as a Third-Party Connector source, and then select the required connector source. Active Directory, Service Now, and WebHook are available connector sources.

      Besides the Third-Party Connector source, Cloud Agent as Passive Sensor and Passive Sensor sources are also available.

    2. Select the attributes and operator.

      The available attribute values are Connector Name, Connector ID, Last Seen, and First Seen.
      The available operators for First Seen and Last Seen are OLDER THAN and IN LAST, and for Connector Name and Connector ID is IN.

    3. Select or enter the value in the third column based on the attribute and operator you selected.
      • Select the value from the third column for the Connector Name and Connector ID attributes.
      • Enter the value for First Seen and Last Seen attributes.

      You cannot add other purge criteria with the Add Other Sources criteria.

  5. Click Next.
  6. On the Settings page, enter the following details and click Next.
    1. Set asset purge limit in the Asset Limit field. It’s important to know that if you select more assets than the set limit, your assets won't be purged.
    2. Select whether you want to Re-provision the agent or Uninstall the agent.

    By default, Re-provision the agent is selected, and as a result, the agent creates a new asset. If you select Uninstall the agent, the agent is uninstalled from the host. 

    Purge Limit.

  7. Review and confirm your selections.

    Summary.

  8. Click Finish to save the purge rule.

    A confirmation message is shown.

  9. Select the Save my purge rule checkbox, and click Confirm.

Asset Purge Rules Behavior

You can configure purge rules to automatically delete assets based on a duration you specify, either in days or hours.

Purge Rules with Duration in Days

When you set the purge condition in days, the system evaluates the asset’s age using complete days only. This means that, if you configure the rule to purge assets older than n days, the system removes assets that are older than n+1 days.

Example:

  • Rule created on: 31 July 2025
  • Criteria:
    • Attribute: lastCheckedIn
    • Operator: Older Than
    • Days: 5

In this example, all assets older than 6 full days will be purged (older than 26 July 2025). For instance, an asset that is 5 days and 3 hours old will not be deleted until it exceeds 6 days from the day the rule was created.

Purge Rules with Duration in Hours

When you set the purge condition in hours, the system uses the exact time, down to the hour, minute, and second. This means that, if you configure the rule to purge assets Older than n hours, the system deletes assets as soon as they exceed that precise duration from the time the rule was created or last updated.

Example:

  • Rule created on: 31 July 2025 at 12:00 PM
  • Criteria:
    • Attribute: created or updated
    • Operator: Older Than
    • Duration: 24 hours

In this example, all assets older than 24 hours from 12:00 PM on 31 July will be deleted (older than 30 July 12:00 PM).

Available Purge Criteria and Interval Duration

The table below lists the attributes that use the interval: Days.

Criteria Attribute Interval Type
Cloud Agent-Based lastCheckedIn Days
lastActivity Days
EASM-Based First EASM Scan Date Days
Last EASM Scan Date Days
Time-Based lastVMScanDate Days
lastComplianceScanDate Days
Updated Days
Created Days

The table below lists the attributes that use the interval: Hours.

Criteria Attribute Interval Type
Time-Based lastVMScanDate Hours
lastComplianceScanDate Hours
created Hours
updated Hours

Good to Know!

You can edit, delete, enable, or disable the purge rule from the Quick Actions menu. You can also download the purge rule execution report.

Options

Related Link

Third-Party Asset Import in CSAM