Remove assets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-03-17
Category
Administrator Guide
Abstract

Remove ASM assets from your inventory through the Cortex XSIAM UI.

You can remove assets from your inventory by submitting an asset removal request, in the form of a CSV file, through the Cortex XSIAM UI. After you've submitted an asset removal request, the requested assets appear in the Asset Uploads/Removal table with the status Removed. Within 24 hours of submitting the request, Cortex XSIAM will remove the assets from the inventory and remove associated alerts, incidents, and services,

Guidelines and restrictions for asset removals

Before you submit an asset removal request, familiarize yourself with the following guidelines and restrictions:

  • You can remove domains (paid-level domains and subdomains), certificates, and IPv4 ranges. Removal of IPv6 ranges is not supported.

  • The asset removal request CSV file must be less than 2 MB.

  • You cannot remove an asset that was uploaded in a previous upload request. This will cause an error that must be fixed before you can submit the upload request.

  • When you remove a paid-level domain, related subdomains are also removed.

  • When you remove an IPv4 range, the individual IPv4 addresses in that range are also removed.

  • You can undo a removal request, which will result in the asset being added back to your inventory. See Undo an asset removal for more information.

  • Removing assets will not result in a reduction to your contract price. Contract pricing will be reevaluated at the time of contract renewal.

Note

If an asset removal request has an incorrectly formatted CSV or includes one or more invalid assets, the entire request will fail, and none of the assets will be removed. If this happens, Cortex XSIAM will display an error message indicating what caused the error, so you can fix the problem and resubmit if you choose.

How to submit an asset removal request

An asset removal request is a CSV file that lists all the assets you want to remove from your inventory. It is important that the data and formatting of the CSV file are correct, or the entire request might be rejected.

  1. Create and save a CSV file that lists the assets you want to remove from your inventory. Be sure to provide the correct asset information and follow the formatting requirements described in CSV format for removal requests.

  2. Navigate to SettingsConfigurationsAsset ManagementAsset Uploads/Removals.

  3. Click on the Asset Upload/Removal button and select Remove Asset(s).

  4. Drag and drop or browse to your CSV file to upload it to Cortex XSIAM.

    As soon as the file has been successfully uploaded, the assets will appear in the Asset Uploads/Removals table with the status Removed. Within 24 hours, the assets will be removed from the inventory and related incidents, alerts, and services will also be removed.

CSV format for asset removal requests

An asset removal request is a CSV file that lists the assets you want to remove from the inventory. It is important to format the CSV file to match the following requirements. Incorrect formatting or typos may cause the upload to fail.

Remove request example

This example shows the correct CSV format for an asset removal request, including the supported asset types and IP range notation. The headers in your CSV must match the headers shown here.

AssetType

Asset

Domain

example.com

Domain

example1.com

IP_Range

192.0.2.0/32

IP_Range

192.0.2.0-192.0.2.0

IP_Range

192.0.2.0-192.0.24

IP_Range

192.0.2.0/27

Remove request CSV details

The following table provides details about each field that is required in an asset removal request CSV file.

Field

Details

Asset Type

The header for this field must be written as AssetType.

Supported values are Domain, IP_Range, and Certificate. Use the IP Range asset type to remove individual IP addresses.

Asset

This is the specific domain, certificate, or IPv4 range you want to add to your inventory.

IP ranges can be specified using the following types of notation:

  • CIDR notation

  • <First IP address>-<Last IP address>

Individual IP addresses can be specified using the following notation:

  • 192.0.2.0/32

  • 192.0.2.0-192.0.2.0

Undo an asset removal

There may be situations where you want to add an asset back to your inventory that was previously removed. Cortex XSIAM will not allow you to upload an asset that was previously removed, but you can undo the removal to add that asset back to the inventory.

A common use case for undoing a removal is when an IPv4 range has been removed, but you want to add back an IP address that falls within that range. In that case you can undo the removal of the range, and then submit a new removal request for the ranges before and after the IP address that you want to add back. For example, if you removed IP range 192.0.2.0 -192.0.2.24, but then realized you need to include 192.0.2.10 in your inventory, you would:

  1. Undo the removal for IP range 192.0.2.0 -192.0.2.24.

  2. Submit a new asset removal request that includes IP ranges 192.0.2.0 - 192.0.2.9 and 192.0.2.11 - 192.0.2.24

How to undo an asset removal

  1. Navigate to SettingsConfigurationsAsset ManagementAsset Uploads/Removals.

  2. In the Asset Uploads/Removals table, find the asset you want to add back to the inventory. An asset must be in the Removed state to undo the removal (and add it back to the inventory).

  3. Right-click the row and select Undo Asset Removal. Click Yes to confirm the removal.

    After confirming the Undo Asset Removal action, the asset will no longer appear in the table.