Hi,

    From Context Visibility choose the Export menu option, there is a column for "Update Time" which tells you the last time ISE saw anything for that endpoint. You can afterward configure "Endpoints Purge Settings": https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_33_maintain_monitor.html

Thanks,

Cristian.

To get the Inactivity Days attribute for your endpoints, you cannot rely on the standard Context Visibility CSV export or the basic Identity APIs, as that specific field is often calculated on the fly rather than stored as a static attribute in the standard endpoint object. Instead, you should use the External RESTful Services (ERS) API to query the endpoints and look for the InactiveDays or LastReceptionTime values.

Since your goal is to identify retired devices without risking an accidental purge, your best bet is to use a script (like Python) to call the GET /ers/config/endpoint API. You can then calculate the inactivity yourself by comparing the lastUpdate or StaticGroupAssignment timestamps against the current date. Alternatively, if you have Cisco ISE 3.x, you can leverage the Data Connect feature (using an SQL query via a reporting tool) to pull the last_activity_at column directly from the database, which is much more efficient for large datasets.

 @ryanmbess ,

I highly recommend the use of ISE DataConnect for this.
It is an extremely fast SQL query directly against the ISE database's endpoints table to find this info.
I've even written the query for you: 
https://github.com/1homas/ISE_Python_Scripts/blob/main/data/SQL/endpoints_last_auth.sql

iseql.py --insecure data/SQL/endpoints_last_auth.sql --format table

mac                random    timestamp            location                            username                                       endpoint_profile           sgt          device_name              ipv4        passed
-----------------  --------  -------------------  ----------------------------------  ---------------------------------------------  -------------------------  -----------  -----------------------  ----------  --------
F8:4D:89:67:FD:03            2024-09-06 16:50:55  All Locations                       thomas                                                                    Employees    thomas-mr46                          Pass
58:EF:68:E6:46:F0            2024-09-11 16:24:42  All Locations                       thomas                                         Belkin-Device              Employees    thomas-mx68                          Pass
2C:7B:A0:00:00:00            2024-09-17 12:59:01  All Locations                       2C:7B:A0:00:00:00                                                         Blocked      thomas                               Pass
E8:C8:29:00:00:00            2024-09-23 07:57:03  All Locations                       E8:C8:29:00:00:00                              Intel-Device               Blocked      thomas-mbp                           Pass
36:0E:9E:4E:17:F4  ✔         2024-09-23 07:57:21  All Locations                       36:0E:9E:4E:17:F4                                                         Blocked      thomas-mbp                           Pass
9C:8E:CD:2D:2C:17            2024-09-25 17:04:53  All Locations                       9C:8E:CD:2D:2C:17                              Unknown                    Blocked      thomas                               Pass  

Watch the webinar ▷ ISE Data Connect Deep Dive 2025-04-22 where I talk about using my iseql.py script for these kinds of queries.

Resources:

• https://cs.co/ise-api#!data-connect-openapi
• https://cs.co/ise-dataconnect
• https://github.com/1homas/ISE_Python_Scripts
• https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py