1. Axonius Customer Portal
  2. Community
  3. General Discussion

Adapter Configuration: Ignoring & Deleting Devices

Avatar
Jordan Farkas

If you have configured an adapter in Axonius, you have likely stumbled upon the configuration settings depicted in the screenshot below. These fields, located in the "Advanced Settings" for every adapter in Axonius, are:

  • Ignore devices that have not been seen by the source in the last X hours
  • Delete devices that have not been returned from the source in the last X hours

The goal of this article is to:

  1. explain what these settings do
  2. respond to frequently asked questions related to these settings

What Do These Settings Do?

"Ignore devices that have not been seen by the source in the last X hours" 

If a value is supplied in this field, all connections for the adapter will only fetch device information if that device has been "seen" by the data source within the last specified number of hours. For example, if a value of 2160 is entered, only devices seen in the last 2160 hours (90 days) will be pulled into Axonius. If no value is supplied in this field, all connections for the adapter will fetch all device information that the API user has access to.

"Delete devices that have not been returned from the source in the last X hours" 

If a value is supplied in this field, all connections for the adapter will delete device data fetched from the source if the device has not been fetched from the data source in the last specified number of hours. Only the information fetched from that data source will be deleted.

For example, if a value of 48 is entered, a device entity will be deleted from Axonius if it has not been fetched from the source in more than the last 48 hours. If no value is supplied, all connections for the adapter will never delete device information from Axonius. 

Frequently Asked Questions

What is recommended for these adapter settings? 

As a general rule of thumb, it is recommended to leave the Ignore and Delete settings at their default values of 2160 hours (90 days) and 48 hours (2 days), respectively. However, the frequency of the adapter's fetch must be taken into consideration when determining the value for the "Delete" field. It is recommended that the value for the this setting be twice the amount of time between discovery cycles, at a minimum. For example, if an adapter is configured to fetch every 48 hours (2 days), then the value for the "Delete" setting should be no less than 96 hours. This allows at least 2 discovery cycles to complete before Axonius will purge devices from the database. 

Note: It is not recommended to ever set the "Delete" value to less than 24 hours, regardless of the adapter fetch intervals. 

What are the benefits of keeping the default values for the "Ignore" setting? 

At most organizations, 90 days of historical data is required to maintain a comprehensive and reliable device inventory. This is particularly true in the context of security coverage. For example, most security teams would want to know if workstations have been seen on the network in the last 90 days and did not have required AV agents installed.

What are the benefits of keeping the default values for the "Delete" setting? 

Keeping the "Delete" value at a minimum of 48 hours helps protect against unintentional device "cleans" from Axonius which are caused by adapter connection issues and fetch failures. Credential changes or API timeouts are examples of common unforeseen issues that may inadvertently "start the clock" for a device clean. If an adapter fails to fetch for less than 48 hours, there is not much time to for human intervention to resolve the issue before device information from the affected data source is deleted from Axonius. 

Additionally, one of the fundamental benefits that Axonius provides is device aggregation and correlation. If devices are removed from a data source, then there is no longer device information to aggregate and correlate, so why hold onto this data for more than 48 hours? Additional resources are needed to maintain the database, reporting may become inaccurate, and device data will become "noisy".

What are the risks of lowering the "Delete" setting too low? 

The main risk is unintentionally purging device information from Axonius due to adapter connection issues. See the above section 'What are the benefits of keeping the default values for the "Delete" setting?' for more details. 

How long does it take for a device to be removed from Axonius with the default settings?

It will take 92 days for Axonius to purge a device entity from the database if the device has not been seen by the data source in 90 days. After 90 days, Axonius will ignore the device during the API call and the clock is started to determine when to delete the device from Axonius. After 2 additional days (48 hours) of ignoring this device, i.e. the device is not returned by the data source, the device will be purged from the Axonius database. 

How does Axonius define the "Last Seen" value? 

Generally speaking, the "Last Seen" value for any device is the most recent time that a device communicated with its management platform. For example, the Last Seen value for an AV agent may be the most recent time that the agent checked in with the management console. The fields that are used to determine the Last Seen value depends on the adapter. There may be one or more fields included in a logical expression that determines the Last Seen value. If you have questions about how a Last Seen value is determined for a specific adapter, please contact your Technical Account Manager or support@axonius.com for more information. 

What if a device does not have a "Last Seen" value? 

If a device does not have a Last Seen value, Axonius will not be able to "Ignore" the device per the adapter configuration. However, if a device without a Last Seen value is deleted from its data source, the device will still be removed from Axonius per the "Delete" setting in the adapter configuration. 

If you see devices that are missing values for the Last Seen field, please contact your Technical Account Manager or support@axonius.com for more information. 

Will lowering the threshold to ignore devices help me keep my inventory close to "real time"? 

No. When you think of "real time" data, do not think about the "Ignore" and "Delete" settings. Instead, think of the frequency of your adapter fetches. By default, Axonius fetches asset information from the adapters every 12 hours via the Global Discovery. If you are interested in pulling device information into Axonius more frequently, then set the desired adapter to a custom schedule to fetch more frequently. Before setting an adapter on a custom discovery cycle, first look at the time it takes for a complete fetch (all connections) to finish for this adapter. If the average fetch duration is 6 hours, do not configure the adapter to fetch at 6 hour intervals or less.

Additional suggestions 

  • Modify scoping/base queries in Axonius to include a row for "Last Seen" to scope result sets to include more recent data
  • Enable Notification Settings to be alerted by email when there are adapter issues

If you have any questions related to this topic, or suggestions based on specific environmental conditions, please share! Any questions can be incorporated into an updated version of this article. 

0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post