How do I remove Inactive/Decommissioned Assets from Kenna?

Automatically Inactivating Assets

Asset persist in Kenna even after we are no longer receiving new vulnerability information about those assets from your scanner. To remove decommissioned assets risk scoring and fix information, they must be set to "inactive" in Kenna. Inactive assets are removed from Risk Meter scoring, will not appear in any default reporting, and will not appear in any fix asset lists.

In order to automatically have assets set to inactive select Asset Settings from main menu. 

 

 

Kenna will use the scanner data to determine when an asset was last seen. After an asset has exceeded the inactivity limit that you choose in Asset Settings, Kenna will automatically set the asset to inactive. If you scan weekly, a 30 day inactivity limit may be appropriate. If you scan quarterly, the limit would need to be set higher. 

 

 

If an asset appears in scan data after it has been set to inactive, Kenna will set the Asset back to active and it will reappear in all other areas of Kenna reporting and processing. A nightly job runs which compares the last seen dates on Assets and flips them to active or inactive to meet the rule set in Asset Settings. Using this feature will help ensure that the risk picture portrayed by your Risk Meters is accurate and up-to-date. 

 

Manually Inactivating Assets

If you choose not to use the automatic Asset Setting feature, you can still find inactive assets in the environment and set them to inactive manually. 

NOTE: Updating an Asset status manually will completely remove that Asset from the automated processing described above. Recently seen Assets will stay inactive and old assets will stay active past the Asset Settings if manually set. 

Example:

  1. Perform a text search of asset_last_seen:<now-90d to find all assets that have not been seen in the last 90 days
  2. Select the checkbox in the far upper-left of the Assets table
  3. Click the "Apply to all assets matching this criteria?" link to allow for bulk operations on all results
  4. Click the "Inactive" button to the upper-right of the Assets table

This will bulk-deactivate all assets matching the above "last seen" query.

To check the validity of Assets status for manually set Assets, you can create several risk meters to monitor status:

  1. Assets that should be Active: Asset status "inactive". Search query = asset_last_seen:>now-7d
  2. Assets that should be Inactive: Asset status "active". Search query = asset_last_seen:<now-31d (days should be Asset Setting +1)

Risk meters will be 0 if all automated processing is working as expected.

Powered by Zendesk