Just to get these at the top, these are some of my questions:
1- When does tagging occur? Does it happen with manual/ad hoc vuln scans? I suspect my recurring light scans are replacing operatingSystem tags on my assets with ambiguous ones...
2- How do others handle the ambiguous OS results, such as "Windows 2012 R2/8.1 with dynamic tagging using regex?
What I do is the following:
- set up a small number of Domains that include the subnets I want to discover assets in.
- a map scan that runs every day against each Domain to discover assets.
- manually review the map scan results, and any new asset that is not Approved, I Approved and assign to one of a small number of Asset Groups. My Asset Groups are based on network location (Geo1-DMZ, Geo1-Internal, Geo2-DMZ, etc).
- a weekly light Vuln Scan (with no authentication) for each Asset Group. The goal of this is just a quick scan to do OS detection and begin assigning Asset Tags.
- a monthly full Vuln Scan (with authentication) on my major Asset Tags (Geo1-DMZ-Windows, Geo1-DMZ-Linux, Geo1-DMZ-Others, etc). This is designed to catch everything identified from scans above.
- I plan to use only Asset Tags for all reports.
Thank you for any insight!