From 9e264f043e639b3f349fc81a948bc614909adb38 Mon Sep 17 00:00:00 2001
From: Mike McGrail <mike.mcgrail@sentinelone.com>
Date: Thu, 21 Sep 2023 17:11:40 -0400
Subject: [PATCH 1/3] update readme

---
 README.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 5e278458..06241d08 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 #  Singularity Data Lake Add-On for Splunk
-The Singularity Data Lake Add-On for Splunk provides integration with [Singularity DataLake](https://www.sentinelone.com/platform/xdr-ingestion/) and [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
+The Singularity Data Lake Add-On for Splunk provides integration with [Singularity Data Lake](https://www.sentinelone.com/platform/xdr-ingestion/) and [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
 - SPL custom command to query directly from the Splunk UI.
 - Inputs to index alerts as CIM-compliant, or any user-defined query results.
 - Alert action to send events from Splunk.
@@ -27,16 +27,20 @@ The add-on uses Splunk encrypted secrets storage, so admins require `admin_all_o
 | Inputs Data Manager | Optional | For Splunk Cloud Classic Experience, if the modular inputs are used, this add-on is installed on an IDM. |
 
 ## Configuration
-### Singularity DataLake
+### Singularity Data Lake
 1. From the SentinelOne console, ensure Enhanced Deep Visibility is enabled by clicking your name > My User > Change Deep Visibility Mode > Enhanced.
 
 ![Setting Enhanced Deep Visibility](README_images/setup_enhanced_dv.png)
 
 2. Open Enhanced Deep Visibility.
-3. Continue following the DataSet instructions below.
+3. In the top left, ensure an account is selected (not `Global`)
 
-### Dataset (and Singularity DataLake continued)
-1. Make note of the URL (e.g. `https://app.scalyr.com` or `https://xdr.us1.sentinelone.net`). For SentinelOne users, note this differs from the core SentinelOne console URL.
+![Selecting SentinelOne account](README_images/s1_account.png)
+
+4. Continue following the DataSet instructions below.
+
+### Dataset (and Singularity Data Lake continued)
+1. Make note of the URL (e.g. `https://app.scalyr.com`, `https://xdr.us1.sentinelone.net` or `https://xdr.eu1.sentinelone.net`). For SentinelOne users, note this differs from the core SentinelOne console URL.
 2. Navigate to API Keys.
 
 ![Creating DataSet API keys](README_images/dataset_key.png)
@@ -53,7 +57,7 @@ The add-on uses Splunk encrypted secrets storage, so admins require `admin_all_o
 2. On the configuration > account tab:
 - Click Add
 - Enter a user-friendly account name. For multiple accounts, the account name can be used in queries (more details below).
-- Enter the full URL noted above (e.g.: `https://app.scalyr.com` or `https://xdr.us1.sentinelone.net`).
+- Enter the full URL noted above (e.g.: `https://app.scalyr.com`, `https://xdr.us1.sentinelone.net` or `https://xdr.eu1.sentinelone.net`).
 - Enter the DataSet read key from above (required for searching)
 - Enter the DataSet write key from above (only required for alert actions).
 - Click Save

From 85a8b0d373ba73d52060a18f38eb12bd82a7f47b Mon Sep 17 00:00:00 2001
From: Mike McGrail <mike.mcgrail@sentinelone.com>
Date: Thu, 21 Sep 2023 17:11:47 -0400
Subject: [PATCH 2/3] add image to select account

---
 README_images/s1_account.png | Bin 0 -> 9678 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 README_images/s1_account.png

diff --git a/README_images/s1_account.png b/README_images/s1_account.png
new file mode 100644
index 0000000000000000000000000000000000000000..13fcde238f35bf567f91283e943a0d253fb71874
GIT binary patch
literal 9678
zcmeHsXIN8B&?qR1H0e!BC?YikP!Xw05kUw|Ak<I{h%{-TgM##`Aibyvi1Zea7NkW5
zK{}yIhtLFs015CN-u~SC^ZvZwdCs2Qv%51pJF`1GGaID~Ri~l6LP<hGLZfkCRiA|9
zTmewFx^xlv_8C@yNJvO69aL0wHB?l1blqL;9Gnm&BtkEp6VVUab?Go@2T?U}$K7mB
zS)&j740mN^hAxYEUg|%hx-d98CgL1$jb4u~%aeh#<MfW3M|Di-33<qyp9@Q3$}He*
z%a15S+Rdruz{6=bPP%CJEMq>Bk1398jPu)vVVyp|FJ!NTQd4~V%$d_)!)fx%Vxrxj
z2h@3-m{#lQBNowT<8SL=qEL1DH~Iv%B9d`A@91ukgiGVIWWEuUg}6^{{b)gcqz+l?
zl>pxQA3xVxujkoEZAJRSutE$<jDl2PzoM|>*Wmry&@n|j(?f@k$I0h^NJMeY=}Kr8
z^~=S`PpzEhynG`VL-TaKwd;zeP<#FfwJ;}hT8BYJt3>Q0iCbz#(PpPD)&>(=B&)_e
zHPb^W-p`94+*#5Fza0p^P(S?1nnNk|byH;ZM-iIMGE%O>mQ!hRRr2RYd0Xhw0Cdph
z7rD<kwiusyTIGFl?3)A_9*ux$*lBB%hydkFBxIylNG<>+QXnaka{N=iM=C^e{*U@|
zBqR|IBxHZ}fdcv2lL(|Um_PILufj>lfj<Ty`Mf#zckgorZ_fW+Cb0tANbVY_XlMYr
zfvr0N;o|Yw)$>VpJuOf{@$|ll2MGy_z*!>I(7*Z%z(4Hp5atQf){?b#br!dN<Z6Qu
z_i=uDhKEGnM;0hLBRs8ne4L$JJY;<o`2Of23zW~QA$&Z4bn$dl;Dc%F@~F7FBY336
zCB!B86e)Rlc;ww5*~#jw-unw2_*39}?CJSb76S41_7?ZPF7E1X50Sim`!+;E3L+&1
z26})!d|f=PeZVdr{C^_(8;>f&!`9v5si%Xh3(px|Ya3TDPX#`{vw{A3{-hJ(<M8iD
zE*^hP3z#6}tOX(|E&=%mHvlSsRx7LP;Dc~7QFU+zcm|B2cw1WjkM93h!@mRm2N3oz
zp!6-7|3dz!<^O~<^gy_)xH<zPdMf@at-pZ(+xQotJmhTR|6#<RT>hgLV6!5nJmepd
zDN@Q*KRa7>oDQlw4}lz5V}Cpnz*h)JXE~7QTh;W#?0`I0L-p=MAJX+~lSnSZD;Uv!
zHu^ZK_<1RtfTudDs^7^{<Du7{FztOt+?#ZZ3c0LDmn_yr#;U4fX%13_Gtgg96L=&g
z8P$C?n#%5yI8UCcH3KVys&n3Lj}rm-_SE1^k*pye>Fu=)f9mnEcL$9AIC+HsRM*Ru
zgh=0oxLmz+?%!9UgsjVFi>aX9k8&l8?EbUAUlKAQEnlug5{iG`nh=sO2T|zxP##i-
zf8I9|i#Pv^?g!;Lrh-x#8tRb05uIUdOCJ3XqQpC*mvqxmb2lU|{fmf)l+wWR{J(VF
zIakVa$9g<^u$AXuqMn@*Me`3uK;eIh0$BF{!YQu&(blF<ySqJ`7WG!ic3*1#;r2Za
zQp!O+&wGTU0))qMPxn!8T8e$G-3HF-2;O%^ja`cQZ|Obn*LovrP02gteGiTd54H~F
z31KsBL}~{$b)`Cvl=R{c`+hRCQm;<lM)$pnF3eU-i{=42@CEF=z`B3Dn9P9!bL$!#
z>DjFXAD{M0<IB4vKoTc?SP(`Be0{h-ymIVOfVyp5XhTqEO}qsT_Uezd6l-}d?uGD+
z)^E(kuZqOXYk20>zkRL0;x)-0R&+@}otOJokP|<${pJcJ7?yIk!ek;C1^%kvDXhBs
zp5nBk=h542soVlmLkhQsPr-pBs$$4_V`aM2BJ)R_-AFo_g+!IA^y~I^h1p0`Byk&K
zAHju$q43lG_O_V#@5uGBm(EiSHwkkwkg5d5BO(9Y@3*Q)E&ag+Tygn0y?h?9LD;0u
z)xK~LBEzX_xS2*69k<9ONyJ%1@N1_jCo5NUqJo_d%@(x~=|W+Np)}2V$~<k{WDwND
zmt&&nU+mG&LvD_c=N`Sc1se~SGOMY?>)#*~A!wre{+Mk7qB|8*u8?vbkk!3w&mUQv
zdZ!GvRaOVoI4vrUdC6r;)Y`49XGnD3)H8<R);>g4Y~<fj6)WPa91U7K80o23@+6B_
z*dJRzA#Ax`z27dxtGm^(R^~L{6=%(upaCFd2aq=G<Q7LqJZZ4L<2Fvyd@$B8qJ=;*
z&6uT>hjyIYzY^8PWM89I^O^#EZT?$VM|s%}i=&-1rzBg@EI-2Nc5E0XROe?nhszi4
zVB$8>_Q=w=9dlf5_x)RrAFjwU{XG{0&vO=r`wRssD=*D?Zm^0s)Xnn>{>HE<#`4=1
z^vM+Gp@*uSpslj%{Cf!`^m#i|db<7a3+&EqHD7z|2h&GBGejEBdDau9PeGk8wJF5R
z>m@R;+d~IuU(d6EO_RT8%hgqZ<NzHJt94GJ?S{0OselByl1xiDgkp|=UsY+m!dmUw
zQ0Xcq=^RzJ#Mf)Zm%mWw48`!I+9o&9I)zCVb{QfjY_i)-Y+lRL=ay9Q_=Zawb@EB;
zJ!x!EoE%jwSp%!3z0<*7TW*u3WfR;$NPC)<ueaK9y)_Ydl<Jc4p?!TUfkL&X=NsdJ
z-!u8o!L0|v{p7XpgOjjRY49<onM(4;4v4*WSjVr_P_U+eO0)s*=T~I+1WA_%MFO3-
zW@g(`Sq1ZLI|^9Y&v&(@)I{W?v2wAWMMqe=UioERxlZJZXKJ*$J_291s!ZH&fY;~R
za3I@!z~L#*qGdl)I?@?p4k~OYH@;PlVPK-%Q`|9kolNrW=s6Pnq7?FLh$}J%PAiI*
zHyY5VtLUX}s!=}FP|!GP9n<xMFmOw(Uyvnt$iLsbqX^?Y&x-sOfC+eVItd9**t!5Z
z-EQXiMswmvf6JNrr1oytBlF!WLgXVG+VTkbqZc-+R1_Lt7|waEi8b25zsZJZ5+k-B
zG>@q|>}k+TNrsQ3m^}>3M%bd{j7)F8DUZKE@N#y%oI*RrJx?FQzQ;?|tv)8$qXEL~
z3<lyhRji^~t2Jv<DQcM9u%&lYp^_Yt?9N8hm6F1eG0kalX*%qfDxyLQYXC76x>+|9
z#Gz@CK?t3(?3fYd@ZbDYm??#bZag_!n;JHTZ$M>NuhwC>{cA+J8b0wAMsWLmY2NuJ
zx*086_SjIo*r?Qfs~K;3(y%vTmSoGJ6x1ZQ-N86jJ8HRB)_@aPPK9^?yW{~kJe8L)
z8bm7sqGKfWa+#~3Z}}Zn<+AfOuvjOZPS{aJY#cpZNA@7S^dm}S!u08Ci=PtmvL`4;
z=Zh{L)FW@Zol-f#Su*D7&q&~nNuwEZgjNQMvU1rvnHvVC|9bID#edxp!LcFfW~|QB
z7B7&M-<$DyJ!~e8hH`KR|0{Xz-Gm~f`L{k;@91c)d=v*-qef44O~-5pDH!2b@)9!U
zCY5Ryjmped<8Lpe8FiT6ni0$ms5*c8dv(w(2?H?6tYgXenNXZ#-4xPece&4-L)z)-
zM4c<7>nk)k80~+0jGtP^R%gS_>V}Lg!q?#hg^zyEycq9UKwLUxtScCgE`_O%O@DWL
zY$kq1G~R`1RWf$ZM4;Xi-V9>YYe--wJY96?)bFIXy_zcmmE=Y!im{}CigP;z5Mt<u
zdZI`hgx0etiMY52MG4q4QLSz}Z}8hODs-e?N4YpSSXgYV@TgfS>?OSL;pT>hKnLmi
zyY<eCr^0TRjdI&*l_mp^_eNhA5qG*FoAGj+Y$Gt0i=*Zqab}IkQvdBv);zaEko?LQ
z=jkTj{+74LpB16Z1!-I~yDRraWPH|2>n2~Sb7M2)$un&y*1h+BCFxw7`K=;&#LMDP
zE^-_f)XGSl4VAO>q?QO(G|UXDGCK-K>A7~kA<W<9SqRtWw#tyRZ}E&u@uT2}_+1qH
zln=s1v2TZ9i1}dWiD<M&P9$lun3ZEjAv4wb>ug9f=R@W~wuFa-$O~p-y&ofvN*pB@
z<xe(mZonZ;@3<O$$1pK6ySxQe<f%5#JDf~(Rxn2++iPJ(hg8O1P95&nfgb0AMx=a8
z2ZoD{?d@}X?Phyo2G?`^H-+Of*RA3PsUS@iUw@Qgei|1i4z3pFT8<qNcl)lNZo9WU
zWC@zZMe@fBjh8iUHmn1U;_(sw%h}%3U!jVJ3q4f8%IQHk(<&ZVA%WT@?US`D*r6hW
zYVVoAQJn08mt~qAVWSSdiGNPc{bjU)CbWJr#jHx;LCPZlpQCzG?#=ItCkOLQ(=k7s
zQZ10Hk57Ryq)xqJ*AJI-w>~U?{z3PFSp4QIHM3p01YyDT<PdY9`1%9rH-&v;TY7N?
z7e@H{LtzwsCIaNe28!Wwj=V0-vgcPaT-VbQ8@HW`Ob$&KB$`#OHDz|Z!>j~$r!FP8
zsZ5AYjNbmDNW^r(vLvAxRt~emmd)5lADw%|aoBs<ayeVdU`ewI_AbV?Ok7>8`o}nl
zYuuQbBm=CEBxBD_L(sR_qJx#r9^pAUe-)FQ;FCix3V-_Lrq<QS3!uPqIC{GIcz@#j
zc(~Na57s%r008YC9P6Nw9VLW!GupSN7FZyb>rjQgp~p%Jb|3bO?X&<h;BiF4%HC4&
z=18{tH{r{mjR#qcTP=;d!RGa}N<>|6ubJS}X1SF&q0vDDxd{9g7c=!BC(P!q%YrZh
z8#mE_jhJiQ=@+$ra#+qUT{89_+Fr+&;`XvqSh?pL@1w_iMM;Is=+}jdg0X7u)tcQ2
z03X_`9EVL>5)IbJUj?)eR82WsX!YDZxXElQnW?@0I!di(mDspVWmdU8Rq<onO=&}s
z&i%>J)u8gu)u#$?w^A`8FM0sdeu&Jn=M?{9oAG^Js+AT#KkjLMO$!stK0oa<Pop6T
zacgN);`CIcD?Sl?D%W+uJ{XUen#v`7pT5OVpU;6JQ}+oilN~vy5>mY$uH03{!ANVv
ziimc8kOgyl(&(pjEt#%*b96|jrv;V$s&Lp|VyA}qV%Y%0y=m;GIZHnt%Y|_=**5i^
z<s7wUi{UqdT+c9Kk4C4_Sb!LP+QC}0a5P<EQ^{n0nZ{%WIeu{F6l~NdzpI7OZtA@Y
z=@g!;nB!P)u+I%d-S=G^Ddnnu>J^}(dYC|*%1^b#Z8mNxE-T4;U$^h|By2X8r?Ud4
z$l~kGR}aM9PWW+6v^gRe>dlY~R9UC635%e^#m%3gw9*(t0@?$_KuiIf?Xau#T$#%U
z4awp@<hjFtMHnAg{pe(cXN`iqC*8uzqZkDnCR`f7D-eIRZ|+aHdJh(8dwi*k)v&l&
zVR%ieQYvIx!q#F5KHj=LsG~HjGUdCRZ5*2|VXgex7ErSg+_5p=<dpYJ_Hw{{+^q(U
zq-)I1HgaN_3!LL@`Ix=wG@D!Y4`jM<JQr^OYEp<=%<L_fv%!Amc*=HBzCZz8HMc8p
ztlpH|e(zkkfE_~b+hQ;6YDK9{P~*X%3<Ju9A9mQvMMw|Dd}&ij5TXTFbJsJ9q+0V*
zo$UUPy41EBu@>DM#)sf)#G<$tQ^DRedd(7Ic&v2rGc=yVXDU=TOS$z1mQLNUB(#4s
zc=jW|d1RXiDNC2z%G(H8G5<%-be6DQA<px&{1c2i@-HEJdtU`}?;GkVi@}jt1lN43
zxP@sA25IRt8)ieDVm-i-Vmh$>B^0i7O7u8s{lT9gKNoboXRL5_CU|eyIGe?N{2t>)
zHaNh!rq|QIwww1&P{I9btgCM?i!$C1mS+;+NCWx&eC~3%v#4*F42vTbz0hIzICDwN
zEq130%faC?;M3`XtGC8jvgN%sy+y1@KoqmK4Kdt)>&oTmH1my@3CtoI8-q>u6Ycte
zT2$(3w-Hj*@3!pJUn-9_(4<D}x1-V&0$s#feijj4AR84}whfI&m<tWhRYH3ZHc~Z7
zbGJqWQ<T&ks_~n@COtiffbf`a%@xQs(-lVMWy)v7E8r(R$lo`+Of>}13^wnN7fThi
zw6qZYW5>UsoF^`d*^`l$*bcQZ&1toWe%$z?NH#zrn57#FM>(b6Q0u<d#?&S4JkC@b
zb#ZO=w1B!bPb&>rm#J!Ekq>r@$1x>Emim;-54#>)Q<59rwq1gCX=1f|ZETZMn*%-C
zwYhJtjm4RF&>vC2id~~W3`lnv!HlqFPiQwf<89~e;maA!8_K73DlJ||Aow4Z1a|F%
z<+N4ZdlYfSGWi|4b~8_kcO159c2VonrJ{_1Z*{5c1-k>fI^c{ijah8jRHESv^h<VJ
z?MB&I?J%FoMm*6H{BfpKMvb%G%hI?6rgw>_c|I41r1Lr3lDA``(=mODgc7z8f#?PD
z^S>nGgG11CS!r<{>bO^VECmuI+fiN*?R(N@i3Yoe)VVpeLu<`*Yosf?lOBD{E!%pE
zxP|<{{NA)^$pGs3Eh02W9{WAxX1DWXy<Wx+!-HEI+*1<I;?g9hfZ=2VZ0?x`6r>zY
z{v@>TFo)}=wb7T629%zo+Or)YX1cZr6J4j9u&X9ZE*{Xh;H!9o5)hg>J#}!aq9P%o
zojHrkY-F2#FdV*uNqq&oXFAef#jpQDQ{e8NF6^<;Ld;PH?T7(iGHpc2)!&g0s$&=U
z8+a(?{A30U?m{q4p8AanWQb%n&yaOxJXM%UZ}mycE)DwT{;egp-Ku>{kImDNPBxEt
z$(C+c>SdzbXqJb!Y&KN-%a+nD*RRlQc?DeKqp$kQqqyB~E$7R)wmY3(xJP2|ake<m
zcz;1nyJDYPOpzl4;gLG{N}Mn%LbwkmW)$xSk2RpAb%x}-V29?3zU|0wlMWn3duoHH
zFG~*z!Bl|;&Je-`TC4F_`V*C-Fq;>&tNe(MGq6p>TrwMMB)H^stsGq?t7wM$4I)3=
zu3yCF*vb!^59VU3j|uqYF2Yi#s~r`q_<GDX;4*sKLUR?f!LW)q<y?nOQw_s=zPO@7
zb3%jH+GNl}qf*nw@fYo%L&+_2U0V+A9unpgls3n8vScJbTC6*bReau4LEwgp0t3+p
zb5x^2D?i?@H|_SWIl`+RMLDW30%nT)h9MhI%T^1a7aIg9nXD;5aM%s?#dP}|H|JNz
zB>})@AUK)3buue(0JiJa#3^9%+9h4n##JZml_(ioc)fNk&+ri2OsQE0l|0?4ZBctw
z2gR8Z^DnV?U+hp7i?2f2B9D;|#(3<eAlCq+)k3FILCd$G<K6D=nj}<MJ|I(gVjSY0
zC~2g4GO0Nu`z`Tj_k?TIUD1?>&mYGP6L!en3vkCA(Cn$5R2NMDTvEfd`<=K2=mxZ$
zp7;lzfDOw<G-sLIs6{YLjda(57|2(i9v-REz67O{wC|a>`Z|3VzR-_u0OylCp%x8r
ze|pb%qjuCB1WyBaJ5~Gjz<;ZGG)@iC70VtNc#&5N<iB322#Q=RsqXz2bTCWKN=4L+
zHDqhOcR$V2d&;X9B*M?n-&=SP|C;<V=SsEPSAo>uP6us6M>@}QZn2p(`_=BkZ!W_o
z!47>&Z&s6PBURQ#Uj_7pd(GhkBV8><1hh&I^qm|p3fp|$$-9t<DqIsr8L*}7DMi9+
zw9(u#*TW)QuOrMRhL86$lKj3kovp95pT#2M%JX1J_UPM?dy(pn=JaT~TweOiaw&nE
z-AeJa(S34TO@rP$;tjJg`lp%(9~C+zKXAs3X9I3JD(LuVeWgDyuMJ};Q;7#o#!ve|
zcth&U^H2{|I$Gf$CFj%XD!4RwcD4eX*qr?2BEKH{S|Y6c%w*}T^2fWdsxx1#;9w{K
zc0O`{IX74~w;X-auq#Y$y9oSkcCCr_3b!#C_wU(njMw%C4`<oB)xB3ZeP$O$mX#HA
z6(Z<ifn)Rsbfj(mWnTIi{!Y|u{{2p;H6-}SRmJ3nghh3aAAw#9ok*<wF<ULX*wR=m
z#Tm;wpUe<CCSn>Ak;51xdc+g{4rP06KnBlw{NU3&m@1Fyc9#t`#pJu7UE+%X*tR?T
zWV=}eWF93#D0-0G7Mw0>W9Xs7j&@)CwhmB<j08@<QKy}Suh=kF%a#3nBc8_{_8c!9
z3@=*IGZZ`~0Okni_&ejFJ_Wq_Ef(g<kG$)}mj-3sQ)Emnmq7K(d_0ErVbJx;B(y8Y
zruDQS@_aYiwed+jjE9%QZ@Ysmb+Z@{CZH;kVV*%j3SGiyqVzH=e-OJp%85EwECQ%k
zHm0bA$5hJqvoyYgJ>=2sq3d{CDeJPjl?r6#Lz2ShChIyki1Ps^ir&+{_A?anUU^VG
z%G}62r^}(-_zp&$-`1bjtGfO0S5E++%;gj~)nCoFj5n3HsMpf8G1VzOw0`E>%~;@%
z-}DO5`&`OW<Piu==y%+39q1u_f!9J-hDtkO5mcefcL)08aUF>jT0mk!wHyO%S@yyQ
z&h62p1bwGGxMhj3GFj!y*!!~issO9pP21s8PAfRR_6UY54PtP#@HJH|fq4=eT-*jK
z^D9R7zm1g2w`yYaM^H-QI!>l@;H$p_=+_8eIU=Ojio@(Jr=ksr5yYjqC<`u@39;RT
z+0X@#)%?``>{bJ5983PMD4C1t_RJH2GgQ|e5>Zp2ojDS-S6VmiPVnBGG!Z(HzGNU#
z+D0<J`(hPbH#v9kZU<|hi&)O`fF|#%v05b023Z}Rc@NmL*h81$*-Xt5VClzB#5XLm
zcVpf>Pi$p9elPB9w3<5xCRF6{nj&#b1-zAc$C@q;$!yB=UYFSlHw;T1Cxof<gL}$*
zbw(u>1^W0Z?`t*G$gJLEjOI;AMZG-^!}0pRJwf1?qx3JycDrcRyq&tj$`I)ray=ic
zW5pMrI5So+<y6x22@;eA>0SZM*JKZ$nvSHoaUHC`W-b50s5GW3==;slNB;ZkUtOBE
zyR4`oO}|2@Sn;Ns0c?V~I!ebkG;VwyLtPpap>E~VNqfhIug3MY1QOg&8AAoPW&l?~
z;p#+7U}NU>u@Vuj;w3T1H;agI(ryN-w~XFSXxbZUUtrQ|Oh@~_k<repu6wmaTp%A(
z*+#=DuOx}r$zj51JqWZ4iZ)zc9F18pxyllyk;)>toe+eWQ&$`h-?s-u9X(#LZc5mB
z0l#n624(MO0cI%KF>W)*P#I1%VvnicIe?XXf^7J}UkpYwiylE2Drr91m_`VNK@K1c
zt`>oXTImD+Fbc_^nnGmcWhJxR`T?vE%dA7C`7?7@d_*mV1yKmiZu>QDKU!vyXW99}
zpKA+n;?Df$-k&-)<tk~)Prs78^<>?ywg>E0y_chECOV7!OF!Cm0B!7|m1g<$^98Ii
zJW#-4Uvtv6!EL_F30s9=FN>eMn{VdYe6!uJL!tG^gLtq_O{-7goopE9Fr4Kj1}-ZE
zeGvQnlPYZtC2$Q)|1(CUyA08t`+;e~FLrol2TXY6bYDzE?wc;C((t`%77#+K>ysE!
z>O;rUEb?p!#dN*HymKkNt^_aEu_Qj;Jzj7&yUkSl(jGp((}6JTw~M2t=tw)L8MhWS
zWD6&nN>XwN&$jPC2=77NzioY|N}|ngc1D4Wp=$@R%fkbSJb)UWAy_6{^_{ckgfGYg
zzRkd-s1o4l=UnO}Jjewc=9b*#y}n~FKta2roBQyUwwS8r9RD&ruGF!-d4vl>F055~
zxm&7rEKNc!H`Aq|2!A~YUPZx?1~I3{pO!vkE->`ipLbYAR)(6ayx?NIpr-a}W~NH%
zlC?-u7GFROOq1TJ!XhQNcgCKv%5g7=_+Bfj@NrJc_hi`BYcb97q{qrlHw7*5m>5WL
z&0It&pR`!xNsGK5CGRr64rTl9J8L}eb0I!Rz8K$qfu+P5CTmI#uZmYN7>nFe;jacD
z=;v=t!`O?j_4;h6d7vHTsvEdjKY!Wa#gRq}5a?$wOFne_nWKI@Sf&I;Z8yB*aFOxw
zhjO(sLE1(k7*@E@Oc22tKX7oDYOspBRSJj&gWLo6vG!ikpJhje<GJMS9SbTim0h+r
z6|j%WTSR;cWr7Z*Jo{lovT@J_*bih9(9lt2K6iD@wlJy|WPyP>HXV!xswivVU&=al
zjYZK~*id&xb6J?W9Z`D)|JgngXs}b`l;3p@&cZP^<aU2*N5E}O|EMsTH&fWwfWX9@
z?2C+vL?zzoVSLZVZ!^T&;On-EN}PFUO=-r<5g9mLa~)DK5@Z7L4uG_mt}`Cp4Wn~l
zOA*}e1Kcquz;jJMg^nf(>evC+mrFSMcV2LK-Pl~=LVE-)zS)#=b)FIjcrbqDsRQ#k
zx`K)b)_(qbhd&d}-$@pSw@h-ml7qDb%HL5-h#RIw)5_EBEhOp0+r%l6JX4B)Ry=T|
zL?Q)E^}1wGX?)F|ePYRd;52ECWmwVT^Bi^45suf`)j(}IvdJ^&vH#)>`MrEO1a3i(
z5FV&*nbXeg&$aD!VMFNp1j=<ozQTF!!|~+Zb61~+-!WG8YT(=Gi6<Ryz^fyrU8m)F
z))v1bPtO??5<-rlc*XBf<A=xwh%e+3^?XAx*T=!;x|-d+QMh*t5aUsv??&b*_#^E{
zN=&kK6c69;0_*wpO@r?GN*fZTRCtiDYkY&w`Y40H3BT=Y59~pgZ5AO{Z}j$>0J~>r
z)?tT2y0oKqT<5TUS(IHVMXzz?VH<PH-5{%64}B--mzbt2sEabzURrDywB<%#o*cq)
zX%n&|mz-;C<DPQQ??&cg-O4SqL1P>#xm%wu&N)7d{qmvh3QrT|FTW50&)S+Vfv*j1
ze;(l0WPayTQ4ZpqJ}C-vtH`H4{Oxd@m>8D59rPp0(PysIy7#dD`(gcUZd|c0?@K=8
zetk{K47*aWBlLE}_Y9Ss`{AxFzfAM1&N0t-ttsT2KWMK@kr8CHgI?2m_f@(6vL5A2
z6}`c%TILLoUTcq~M8VS898n@xm&l|fB{kq5!Ud5{%_ZpBaOj}&xQ@dQ`(oWoY4E1=
z#2fxWPy9vDjdZ5FtI;oem$c197TXK!MQ1s7KTn<BPgBf1FuHJ^e)H;|*T&Do>F&3@
z8vAaq{JS=209=(|jLoQp`qb8#?B3LiSLsPwd*%4d(TcB()KYSzx8WqY+4Kk(e0i_O
zY2xJ03_-irc_bp~&f{L+T2Gnf7`>N&Tn5&p0(aB?%PHx9{+`_s-^l|mnWdjJu!;TW
j3j2S%{r}65)>D$C*M##{^(k1u=O@ungQ}J(TZQ}&*0u*C

literal 0
HcmV?d00001


From af56d24d53e35c44a9880fe691c385e95186c940 Mon Sep 17 00:00:00 2001
From: Mike McGrail <mike.mcgrail@sentinelone.com>
Date: Thu, 21 Sep 2023 17:16:36 -0400
Subject: [PATCH 3/3] clarify support through official channel

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 06241d08..454250e6 100644
--- a/README.md
+++ b/README.md
@@ -174,13 +174,15 @@ For use cases requiring data indexed in Splunk, optional inputs are provided uti
 An alert action allows sending an event to the DataSet [addEvents API](https://app.scalyr.com/help/api#addEvents).
 
 ## Support and troubleshooting
+SentinelOne Data Lake users are able to see meta logs, such as search actions, but no endpoint data in Splunk - Ensure the read API token was provisioned from an account, not Global.
+
 Error saving configuration "CSRF validation failed" - This is a Splunk browser issue; try reloading the page, using a private window or clearing cache and cookies then retrying.
 
 Search errors `Account token error, review search log for details` or `Splunk configuration error, see search log for details.` - API token was unable to be retrieved. Common issues include user role missing list_storage_passwords permission, API token not set or incorrect account name given that has not been configured. Review job inspector search log for errors returned by Splunk. `Error retrieving account settings, error = UrlEncoded('broken')` indicates a likely misconfigured or incorrect account name; `splunklib.binding.HTTPError: HTTP 403 Forbidden -- You (user=username) do not have permission to perform this operation (requires capability: list_storage_passwords OR admin_all_objects)` indicates missing Splunk user permissions (list_storage_passwords).
 
 To troubleshoot the custom command, check the Job Inspector search log, also available in the internal index: `index=_internal app="TA_dataset" sourcetype=splunk_search_messages`.
 
-For support, open a ticket with DataSet (or SentinelOne for XDR) support including any logged errors, or open a GitHub issue.
+For support, open a ticket with SentinelOne or DataSet support, including any logged errors.
 
 ## Additional Notes
 Though not typically an issue for users, DataSet does have [API rate limiting](https://app.scalyr.com/help/api#rateLimiting). If issues are encountered, open a case with support to review and potentially increase limits.