Assets may persist in Cisco Vulnerability Management even after we are no longer receiving new vulnerability information about them from your connector. To remove decommissioned assets' risk scoring and fix information, they must be set to "inactive" in Cisco Vulnerability Management. Inactive assets are removed from Risk Meter scoring, will not appear in any default reporting, and will not appear in any fix asset lists. Inactive assets will eventually be purged based on your Asset Purge Period Setting.
You can choose to set asset inactivity limits globally or at the connector-level.
Important to Note
Connector-level asset inactivity limits take precedence over globally set limits
When an asset is associated with multiple connectors, the greatest limit is used.
When no connector-level limits are set, the default is set to the global limits.
Connector runs change the last seen time, which change the expiration date
The following are methods of change Asset Inactivity Limits:
Direct API updates
User Interface update of limits from Asset Setting menu (global) or a specific connector
Removal of a connector with a set limit
Manual updates to asset statuses
Global Asset Inactivity Limit Setting
To automatically have assets set to inactive, select Asset Settings from main menu.
Cisco Vulnerability Management uses the connector data to determine when an asset was last seen. After an asset has exceeded the inactivity limit that you choose in Asset Settings, Cisco Vulnerability Management will automatically set the asset status to inactive. You can choose 30, 90, 180, or a custom number of days. 30 days is the most common setting across Cisco Vulnerability Management clients.
Tip: In choosing a value for this system-wide rule, one is trying to achieve a balance between: 1. removing truly decommissioned assets so that they do not inaccurately inflate risk scores without 2. removing assets that legitimately exist but may have been missed by a scan in affect hiding risk.
A good general rule of thumb: Scanning Frequency X 2 + 1.
If you scan weekly: (7 x 2) + 1 = 15 days.
If an asset appears in scan data after it has been set to inactive, Cisco Vulnerability Management sets the Asset back to active and it will reappear in all other areas of Cisco Vulnerability Management reporting and processing. A nightly job runs, which compares the last seen dates on Assets and sets them to active or inactive to meet the rule set in Asset Settings. Using this feature helps ensure that the risk picture portrayed by your Risk Meters is accurate and up-to-date.
Connector-Level Asset Inactivity Limit Setting
Similar to globally set asset inactivity limits, the connector-level asset inactivity limits use last seen time plus your set inactivity time in days to evaluate the expiration date.
To automatically have assets set to inactive, navigate to the specific connector you wish to update.
Enter the number of days in the Asset Inactivity Limit (days) field, then click Save And Verify.
Once the new limit is applied, you should see the new expiration date under individual assets.
Manually Inactivating Assets
If you choose not to use the automatic Asset Setting feature, you can still find active assets in the environment and set them to inactive manually.
Note: Updating an Asset status manually will completely remove that Asset from the automated processing described above. Recently seen Assets will stay inactive and old assets will stay active past the Asset Settings if manually set.
- Perform a text search of asset_last_seen:<now-90d to find all assets that have not been seen in the last 90 days.
- Select the checkbox in the far upper-left of the Assets table.
- Click Apply to all assets matching this criteria? link to allow for bulk operations on all results.
- Click Inactive in the upper-right of the Assets table.
This will bulk-deactivate all assets matching the above "last seen" query.
To check the validity of Assets status for manually set Assets, you can create several risk meters to monitor status:
- Assets that should be Active: Asset status "inactive". Search query = asset_last_seen:>now-7d
- Assets that should be Inactive: Asset status "active". Search query = asset_last_seen:<now-31d (days should be Asset Setting +1)
Risk meters will be 0 if all automated processing is working as expected.