Assets might persist in Cisco Vulnerability Management even after Cisco Vulnerability Management is no longer receiving new vulnerability information about them from your connector. To remove decommissioned assets' risk scoring and fix information, the assets must be set to "inactive" in Cisco Vulnerability Management. Inactive assets are removed from Risk Meter scoring, will not appear in any default reporting, and will not appear in any fix asset lists. Inactive assets will eventually be purged based on your Asset Purge Period Setting.
You can choose to set asset inactivity limits globally or at the connector-level.
Important Notes
-
Connector-level asset inactivity limits take precedence over globally set limits.
-
When an asset is associated with multiple connectors, the greatest limit is used.
-
When no connector-level limits are set, the default is set to the global limits.
-
Connector runs change the last seen time, which change the expiration date.
-
The following are methods used to change Asset Inactivity Limits:
-
Direct API updates
-
User Interface update of limits from the Asset Setting menu (global) or a specific connector
-
Removal of a connector with a set limit
-
Manual updates to asset statuses
-
Set the Global Asset Inactivity
1. To automatically have assets set to inactive, in the Settings menu, select Asset Settings.
2. Click Update Settings.
3. Select your Asset Inactivity Limit and Asset Purge Period.
4. Click Save.
Cisco Vulnerability Management uses the connector data to determine when an asset was last seen. After an asset has exceeded the inactivity limit that you choose in Asset Settings, Cisco Vulnerability Management will automatically set the asset status to inactive. You can choose 30, 90, 180, or a custom number of days. 30 days is the most common setting across Cisco Vulnerability Management clients.
Tip: When you choose a value for this system-wide rule, you are trying to achieve a balance between removing truly decommissioned assets so that they do not inaccurately inflate the risk scores without removing assets that legitimately exist but might have been missed by a scan which in affect hides risk.
A good general rule of thumb: Scanning Frequency X 2 + 1.
If you scan weekly: (7 x 2) + 1 = 15 days.
If an asset appears in scan data after it has been set to inactive, Cisco Vulnerability Management sets the Asset back to active and it will reappear in all other areas of Cisco Vulnerability Management reporting and processing. A nightly job runs, which compares the last seen dates on assets and sets them to active or inactive to meet the rule set in Asset Settings. Using this feature helps ensure that the risk picture that your Risk Meter portrays is accurate and up-to-date.
Set the Connector-Level Asset Inactivity Limit
Similar to globally set asset inactivity limits, the connector-level asset inactivity limits use last seen time plus your set inactivity time in days to evaluate the expiration date.
1. To automatically have assets set to inactive, navigate to the specific connector you want to update.
2. Enter the number of days in the Asset Inactivity Limit (days) field, then click Save And Verify.
Once the new limit is applied, you should see the new expiration date under individual assets.
Manually Change Asset to Inactive
If you choose not to use the automatic Asset Setting feature, you can still find active assets in the environment and set them to inactive manually.
Note: Updating an Asset status manually will completely remove that asset from the automated processing described above. Recently seen assets will stay inactive and old assets will stay active past the Asset Settings if they are manually set.
For example:
- Perform a text search of asset_last_seen:<now-90d to find all assets that have not been seen in the last 90 days.
- Select the checkbox in the far upper-left of the Assets table.
- Click the Apply to all assets matching this criteria? link to allow for bulk operations on all results.
- Click Inactive in the upper-right of the Assets table.
This will bulk-deactivate all assets matching the above "last seen" query.
To check the validity of Assets status for manually set Assets, you can create several risk meters to monitor status:
1. Assets that should be Active: Asset status "inactive". Search query = asset_last_seen:>now-7d
2. Assets that should be Inactive: Asset status "active". Search query = asset_last_seen:<now-31d (days should be Asset Setting +1)
Risk meters will be 0 if all automated processing is working as expected.
Comments
Please sign in to leave a comment.