sevco.io

Deduplicated Assets

Overview

Deduplicated assets occur when Sevco's Asset Correlation Engine (ACE) determines that multiple Source asset records from the same Source contain enough identical attributes to indicate that they are actually the same asset. For example: if three Source records from a scanning tool contain the same MAC Address, but different UID and IPs, it is likely that multiple records have been created for the same Device asset

Identifying deduplicated assets can assist in system hygiene by allowing you to identify duplicate records in your Source's environment. Additionally, it may help you identify why certain Source asset records are not appearing in the Live Inventory page.

Searching for a Deduplicated Asset

Deduplicated asset records can be found on the Source Inventory page for a Source integration. Begin by selecting a Source from the Source Inventory menu.

Redirecting to the Source Inventory page for "Crowdstrike"

Next, open the query builder and select Record State from the Attribute menu. Select equals as your Condition and Deduplicated asset as your Value. Once you have finished, click the Apply button to run your query.

Query to search for deduplicated assets

A list of assets will appear with Deduplicated asset labels to indicate that they are deduplicated assets.

List of deduplicated assets

Viewing Related Assets

You can view a list of related assets with shared attributes by selecting the Deduplicated asset label that corresponds with an asset.

Selecting "Deduplicated asset" label

You may notice that one of the assets in your list does not contain a Deduplicated asset label. This is because Sevco has determined that it is the primary asset in the group. Primary assets typically contain the most information about an asset and are used to form an aggregate unified asset that can be viewed on the Live Inventory page.

Image of Deduplicate and Primary assets

Deduplication Graph

The deduplication graph allows you to view information about the asset attributes Sevco has used to determine that an asset is a duplicate. You can view this graph by selecting the caret () that corresponds to an asset followed by the Deduplication graph button in the dropdown.

Opening asset dropdown and selecting "Deduplication graph" button

Each node corresponds with one of your assets and contains information about its Last Activity () timestamp.

Node Example

Select a node to see how an asset record correlates with other asset records.

Selecting a node

Each line represents a correlation between two assets and contains information about what attributes they share in common. Hover over a line to view a full list of shared attributes.

Hovering over line

Primary assets are indicated with a "Primary" label as well as a link to view its aggregated asset in the Live Inventory page.

Viewing Primary Asset in Live Inventory

Deduplicated Assets in Unified Inventory

Sometimes deduplicated asset records aren't detected until after they have been aggregated and processed into a unified asset. This can occur when two asset records from the same Source don't share certain attributes with each other but do share attributes with an asset record from a different Source. It can also happen when there are two source configurations from the same platform.

Assets with duplicate record are indicated in the Live Inventory page with an i () on the heat map that corresponds to the Source that has more than one record.

Image of duplicate record indicator on Live Inventory page

On the Device Details page, you can view the details of each record by selecting the Source from the top of the page and using the asset record arrows to navigate between records.

Asset records on Device Details

Additionally, you can also use the correlation viewer tab on the Device Details page to see what attributes resulted in the two records being correlated. Click here to learn more.