Hi,
I’m finding that I need to manually remove stale assets. Anyone now of a way to automate the removal process?
Please help 
Tom
There’s a few ways of doing that depending on what you want to achieve. If you’re getting rid of duplicates, like you one from agent scans and another from discovery scans, the network names could have something like the domain appended to the end that you could use to get rid of them. There’s also a workflow template for insightconnect, if you have it, which automates removal of assets when disabled in AD. If you mean stale devices as in not seen in X number of days, you can parse the time the asset was last seen from MECM logs or make a leql query grouped by timestamp and remove devices not seen for your definition of stale. If you’re talking about devices with stale agent connections, they should drop off automatically based on your settings.
There are a few different settings to help with this.
First, this is a great video on setting up some Asset Groups to Tag these
Second, you can set your database maintenance retention
https://docs.rapid7.com/insightvm/database-backuprestore-and-data-retention/#task-4-update-data-retention-settings
So that article is actually from 2017 and I would not suggest tagging stale assets or anything like that. Instead just set your data retention settings in the administration page.
typically speaking, I set the last two value to 1 month so that if an asset is stale for more than 30 days it’s automatically deleted from the console. You can of course change those numbers to whatever you like to suit your needs.
1 Like
Default should be 30 days. It can be lowered but when testing I found that anything deleted from platform/console would need to be linked again. I probably wouldn’t go below 15 days since some people might go on a two week vacation or have health issues that long and you wouldn’t want their machines dropping out of the system and unmanaged.
So when those user’s computers come back online, won’t they report/recommission back to console?
Do you mean by linking again is that we will need to repair/reinstall the insight agent?
I could be getting confused with Tenable but I’m pretty sure that’s the case. I would still stay in the 15-30 range regardless. And always good to monitor the automated discovery scans to make sure things don’t fall through the cracks.
If the agent or asset has not been scanned in that time (15 days in your example) then the asset gets deleted form the console. In the case of the agent, it does not remove the agent from the machine.
When that computer comes back on line, the agent will report in to the platform again and send that info down to the console, same if it was just an asset getting scanned. What changes is the asset_id for that asset. So essentially it may have previously been asset_id 100 or something, if no other systems are added in the time that this gets deleted and re-added it would come back in automatically but with a new asset_id of 101 for example. So when trying to run a historical report on that asset you would only be able to go as far back as when that asset came back online.