Effective risk remediation is about focusing on what matters most to your organization. To keep your lists of assets and vulnerabilities as fresh and as relevant as possible and to minimize false positives, Vulcan automatically removes assets that are presumed to be retired or inactive and represent no risk to your organization.
Configuring inactive asset removal
Vulcan allows you to control how and when an asset is presumed inactive and can thus be removed from the system. There are 2 controls to configure:
How long after the last touchpoint the asset can be considered inactive?
This represents the configuration of the number of days Vulcan will wait before removing an asset after its last touchpoint. If your scan cycles are less frequent and you want to keep assets around for longer periods of time, pick a higher number of days, for example, 90.
If you scan multiple times a day with total coverage and you want assets to be removed as soon as they are missing from a scan, put a very low value in the text box, like 1.
The asset's last touchpoint is defined as the Last Seen time ingested from the native tool if available, or the latest sync time into Vulcan if Last Seen isn't available to ingest from the connector.
Inactivity on assets that are merged between 2 or more sources
When an asset is comprised of 2 or more sources merged together, the inactivity configuration applies to each source separately. For example, if an asset is comprised of the sources Qualys, AWS and ServiceNow, and the following is true:
1 day ago
2 days ago
15 days ago
If our inactivity configuration is, for instance, 14 days, that would cause the ServiceNow asset information to be detached from our asset above and get removed from the platform. The Qualys and AWS information would remain as is, of course.
Should terminated assets be removed immediately?
Connectors that communicate with the asset through an agent may report back to Vulcan that the asset is Terminated. This means that it is shut down or otherwise decommissioned. If you want assets that are terminated to be removed immediately, flip the switch to the ON position. If you prefer to wait until the normal inactivity time explained in the previous section is elapsed, flip the switch to the OFF position.