#
Enable asset correlation
Confirm asset correlation has been setup in Splunk Enterprise Security.
- Navigate to Splunk Enterprise Security > Configure > Data Enrichment > Asset and Identity Management.
- Switch to the "Correlation Setup" tab.
- Either enable for all sourcetypes (Recommended) or selectively by sourcetype.
- If you choose to enable select sourcetypes, ensure the
stashsourcetype is also selected so Notable events will be enriched with asset information.
- If you choose to enable select sourcetypes, ensure the
- Save.
#
Disable existing asset sources
Optional
It may be possible that you have existing Asset Lookups defined. If SentinelOne is widely deployed, existing lookups may no longer be needed.