#
Enable asset correlation
Confirm asset correlation has been setup in Splunk Enterprise Security.
- Navigate to Splunk Enterprise Security > Configure > Data Enrichment > Asset and Identity Management.
- Switch to the "Correlation Setup" tab.
- Either enable for all sourcetypes (Recommended) or selectively by sourcetype.
- If you choose to enable select sourcetypes, ensure the
stash
sourcetype is also selected so Notable events will be enriched with asset information.
- If you choose to enable select sourcetypes, ensure the
- Save.
#
Disable existing asset sources
Optional
It may be possible that you have existing Asset Lookups defined. If CrowdStrike is widely deployed in your environment the existing lookups may no longer be needed.