Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which Enterprise Security correlates with events at search time.

Use the Asset and Identity Management page to enrich and manage asset and identity data using lookups. Ensure you have the edit_modinput_identity_manager capability assigned to your user role to access this feature. See Configure users and roles in the Installation and Upgrade Manual.

When the identity manager runs, it processes all of the asset and identity input configuration.

The SPL search uses a custom search command that handles the merging and updating of new data to existing data. The custom search command merges data based on key fields and policies that you define here.

Assets and identities that need to be deleted are updated in the KV store with a _delete flag set to True so that the delete operation can persist and be completed at a later time.

The custom search command returns the merged data, which is updated or inserted to the KV store using outputlookup append=T. The identity manager checks and processes rows that are marked for deletion.

You have choices for registering asset and identity data in ES:

• Manually register asset and identity data in Asset and Identity Manager
• Use LDAP to register data in Asset and Identity Manager
• Use cloud service provider data to register data in Asset and Identity Manager