I'm looking to migrate some VM scan jobs which are currently based on Asset Groups, over to use dynamic asset tags instead. We have some sites that have pretty flat networks with a mixture of endpoints and servers, and I want to move away from manually populating Asset Groups to target scan jobs at these different types of assets.
One key point I'm struggling with that I'd like to run past the community...
My understanding is that defined Dynamic Asset Tags are automatically assigned based on scan data - makes sense.
So, lets say I want to target a recurring scan at Windows Servers only - I link this to an appropriate Asset Tag, based on detected O/S. A new Windows server is then added to the network, but of course at that point its never been scanned and so won't pickup any Tags, so won't be included in my Windows scan above.
My assumption is that I'd need to be scanning my *entire* IP range periodically, just to discover any new assets and ensure tags are applied, allowing my targetted and more detailed scan jobs to run. Is this correct? If so is there some best practise way to do this effeciently e.g. should / can I scan just non tagged IPs?
If I'm missing something obvious that would be great, as this seems key to how asset tags work.