Effective risk remediation is about focusing on what matters most to your organization. To keep your lists of assets and vulnerabilities as fresh and as relevant as possible and to minimize false-positives, Vulcan automatically removes assets that are presumed to be retired or inactive, and represent no risk to your organization.

Configuring inactive asset removal

Important: inactivity is currently only supported on Host type assets.

Vulcan allows you to control how and when a host is presumed inactive and can thus be removed from the system. There are 2 controls to configure:

How long after the last touchpoint with the host can it be considered inactive?

This represents configuration the number of days Vulcan will wait before removing a host after its last touchpoint. If your scan cycles are less frequent and you want to keep assets around for longer periods of time, pick a higher number of days, for example, 90.

If you scan multiple times a day with total coverage and you want hosts to be removed as soon as they are missing from a scan, put a very low value in the text box, like 1.

The hosts last touchpoint is defined as the Last Seen time ingested from the native tool if available, or the latest sync time into Vulcan if Last Seen isn't available to ingest from the connector.

Inactivity on hosts that are merged between 2 or more sources

When a host is comprised of 2 or more sources merged together, the inactivity configuration applies to each source separately. For example, if a host is comprised of the sources Qualys, AWS and ServiceNow, and the following is true:

Source

Last seen

Qualys

1 day ago

AWS

2 days ago

ServiceNow

15 days ago

If our inactivity configuration is, for instance, 14 days, that would cause the ServiceNow host information to be detached from our host above and get removed from the platform. The Qualys and AWS information would remain as is, of course.

Should Terminated hosts be removed immediately?

Connectors that communicate with the host through an agent may report back to Vulcan that the host is Terminated. This means that it is shut down or otherwise decommissioned. If you want hosts that are Terminated to be removed immediately, flip the switch to the ON position. If you prefer to wait until the normal inactivity time explained in the previous section is elapsed, flip the switch to the OFF position.

Removing hosts immediately when they are Terminated is only supported for the following connectors:

  • AWS
  • Azure
  • GCP
Did this answer your question?