would be matched against what in ES?

 “10.22.63.159”, “websvr4”, and “00:26:08:18: CF:1D” would be matched against an asset in ES. An asset is a device on a network that can be identified by an IP address, MAC address, DNS name, or other attributes. ES uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to the data1. The asset fields that ES can match include ip, mac, nt_host, dns, and others2. An identity is a user account that can be identified by a username, email address, phone number, or other attributes. An identity is not the same as an asset, although an identity can be associated with an asset1. References =

Add asset and identity data to Splunk Enterprise Security

Asset and identity fields in Splunk Enterprise Security