3.5. Asset Management

In the Assets view you can see all the connected ASGARD agents. New assets will be placed under Asset Requests and need a manual approval before being able to connect to your ASGARD (for auto accept see Advanced Settings).

If the Duplicate Assets view is visible, you should try to remediate the issues in a timely manner, since this might cause unwanted side effects on the duplicate hosts.


Assets in the Duplicate Assets view indicate that one or more agents are running on multiple endpoints. This might be caused by cloning a system with an already installed ASGARD Agent. Undesirable side effects of duplicate assets are alternating hostnames and tasks that fail immediately.

For remediation please see Duplicate Assets Remediation

3.5.1. Asset Overview

Management of all endpoints registered with ASGARD can be performed in Asset Management. The assets will be presented as a table with an individual ASGARD ID, their IP addresses and host names.

Asset View

Asset View

By clicking the control buttons in the Actions column, you can start a new scan, run a response playbook, open a command line or switch the endpoints ping rate to a few seconds instead of a maximum of 10 minutes.

Asset Actions

Available Actions (left to right): Run Scan, Run Task, Connect To Remote Console, Show Timeline, Enable/Disable Fast Poll Mode


  • The internal ping between the ASGARD agent and ASGARD is based on HTTPS not ICMP

  • Depending on the user's role some of the control buttons may be disabled

  • The Run Scan button might be greyed out in new installations - this is because ASGARD did not download the THOR packages yet. You can either wait for a few minutes, or see the chapter Updates of THOR and THOR Signatures, to trigger a download manually.

3.5.2. Column Visibility

Users can select various columns and adjust their view according to their needs by clicking the gear wheel in the top right corner of any table. You can toggle visibility of columns by clicking the icon next to the name. You can also drag and drop the columns to change the order in the table view.

Asset Columns

Available columns in Asset Management

3.5.3. Asset Labels

Labels are used to group assets. These groups can then be used in scans or tasks.

You can add multiple labels to an asset or a group of assets. This is done by selecting the particular assets in the left column, typing the label name (e.g. New_Label) and clicking the blue Add Labels button.


Don't use labels with white space characters as it could cause issues in syncs with your Analysis Cockpit, exports/imports or other underlying legacy functions.

Asset Labeling

Add labels

In order to remove labels, select your assets, click the yellow Remove Labels button and type the name of the label you want to remove for these assets.

Asset Labeling

Remove labels

The asset management section has extensive filtering capabilities, e.g. it is easy to select only Linux endpoints that have been online today and have a particular label assigned. Export Asset List

The Import/Export Section allows you to export your assets to a CSV formatted file. Import Labels

The import function allows you to add or remove labels on assets based on columns in the previously generated CSV formatted file.

The import function processes the values in the columns Add Labels ... and Remove Labels ... only. In order to change labels, use the already exported list, add values in these columns and re-import it by using the Apply Labels from CSV button. Separate multiple labels with comma. Leading or ending white space characters will be stripped from the labels.

Asset Labeling via CSV

Asset Labeling via CSV

3.5.4. ASGARD Search Query

You can search for Assets in your Management Center with the ASGARD Search Query. This allows you to write more complex queries to search for assets. Additionally, this helps you to be more flexible with your scan/response tasks, since you can just specify a query and not set labels for all assets first. A good example of this might be if you want to scan a specific subnet every week, and a new agent is being deployed in this subnet. You don't have to think of all the labels or troubleshoot why scans are not being deployed. One example you could achieve this with is the following query:

system = "linux" and interfaces = ""

This would run the task on all linux systems in the subnet

The following operators are available:




hostname = "win10-dev"


cpu_count = 1


hostname contains "win"

Begins With

hostname begins with "win"

Ends With

hostname ends with "dev"

Numerical Comparison

total_memory >= 4 GB

Numerical Comparison

last_seen < 3 days ago (assets that have not been seen since 3 days)

Numerical Comparison

last_seen > 1 hour ago (assets that have been seen in the last hour)

Numerical Comparison

last_scan_completed < 2022-08-17 (assets that have not been scanned since 2022-08-17)

Numerical Comparison

last_scan_completed < 2022-08-17 15:00:00 (assets that have not been scanned since 2022-08-17 15:00:00)

Numerical Comparison

last_scan_completed is never


is_domain_controller is true


nextping is true (shows all assets with Fast Poll enabled)


not hostname contains "win"


not hostname ends with "dev"


hostname contains "win" and not hostname ends with "dev"


hostname begins with "dev" or hostname ends with "dev"


hostname ends with "dev" and (hostname contains "win" or hostname contains "lin")

Set / Not Set

labels is set (assets that have at least one label)

Set / Not Set

labels is not set (assets that have no labels)

Regular Expression

hostname matches "^[a-z0-9]{(0,6)}$"


Use _ to match any single character and % to match an arbitrary number of characters, including zero characters.


arch like "a__64" (matches amd64 and arm64, but not aarch64)


arch like "%64" (all 64 bit systems, e.g. amd64, arm64, aarch64 or ppc64)

IP Range

interfaces = ""

You can create simple or complex queries this way. You can group/separate queries with brackets:

(system = "linux" and interfaces = "") or (system = "windows" and interfaces = "")

(system = "linux" and interfaces = "" and labels = "my-label") or labels = "robot-test"

The following keys for the asset query are available:


Column Name




Agent Version


Service Controller Version


First Seen








Network Interfaces






Last Scan Completed


Last Seen Agent


Last Seen


Last Seen Service Controller


Fast Poll


Poll Interval




Total Memory




OS Version


You can see which query-name a field has by enabling the column in your asset view and clicking into the query text field:


The ASGARD Search Query is the preferred tool to manage scans and assets. If you are using the Analysis Cockpit and need to labels, you can still use them.

3.5.5. Asset Migration

You can move an asset from one Management Center to another via the Maintenance Module of the Response Control. To do this, navigate to Assets and select the assets you want to migrate. Alternatively you can navigate to Response Control and add a new task. You can now click the Add Task button to open the Task Menu. Choose the Maintenance module and then the Move asset to another ASGARD Type. You have to upload an agent installer from the ASGARD you want to migrate the asset to.

Management Center Move Asset


The target OS or Arch of the installer doesn't matter, we will only use the installers configuration data for the migration.

The task will fail if the migrated asset is unable to communicate with the new Management Center. In this case, the asset will remain on the Management Center which issued the migration task. Only the asset will be migrated (it shows up as a brand new asset on your new Management Center), no scan or response tasks and also no logs will be migrated.

3.5.6. Delete Assets

Deleting assets will remove the assets from the Active Only asset view and will invalidate the authentication for those assets.

To delete an asset, go to the Assets View and mark the assets you want to delete. Click the Delete Assets Button on the top right corner. Confirm that you want to delete the assets.

To see all the deleted assets, change your view from Active Only to Deleted Only.


Deleted assets can no longer communicate with the ASGARD. Please use with caution. This cannot be undone, you have to manually fix the asset.

Deleted Assets

Deleted Assets View