Update readme

README.md

@@ -1,5 +1,5 @@
 #  Singularity Data Lake Add-On for Splunk
-The Singularity Data Lake Add-On for Splunk provides integration with [Singularity DataLake](https://www.sentinelone.com/platform/xdr-ingestion/) and [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
+The Singularity Data Lake Add-On for Splunk provides integration with [Singularity Data Lake](https://www.sentinelone.com/platform/xdr-ingestion/) and [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
 - SPL custom command to query directly from the Splunk UI.
 - Inputs to index alerts as CIM-compliant, or any user-defined query results.
 - Alert action to send events from Splunk.
@@ -27,16 +27,20 @@ The add-on uses Splunk encrypted secrets storage, so admins require `admin_all_o
 | Inputs Data Manager | Optional | For Splunk Cloud Classic Experience, if the modular inputs are used, this add-on is installed on an IDM. |
 
 ## Configuration
-### Singularity DataLake
+### Singularity Data Lake
 1. From the SentinelOne console, ensure Enhanced Deep Visibility is enabled by clicking your name > My User > Change Deep Visibility Mode > Enhanced.
 
 ![Setting Enhanced Deep Visibility](README_images/setup_enhanced_dv.png)
 
 2. Open Enhanced Deep Visibility.
-3. Continue following the DataSet instructions below.
+3. In the top left, ensure an account is selected (not `Global`)
 
-### Dataset (and Singularity DataLake continued)
-1. Make note of the URL (e.g. `https://app.scalyr.com` or `https://xdr.us1.sentinelone.net`). For SentinelOne users, note this differs from the core SentinelOne console URL.
+![Selecting SentinelOne account](README_images/s1_account.png)
+
+4. Continue following the DataSet instructions below.
+
+### Dataset (and Singularity Data Lake continued)
+1. Make note of the URL (e.g. `https://app.scalyr.com`, `https://xdr.us1.sentinelone.net` or `https://xdr.eu1.sentinelone.net`). For SentinelOne users, note this differs from the core SentinelOne console URL.
 2. Navigate to API Keys.
 
 ![Creating DataSet API keys](README_images/dataset_key.png)
@@ -53,7 +57,7 @@ The add-on uses Splunk encrypted secrets storage, so admins require `admin_all_o
 2. On the configuration > account tab:
 - Click Add
 - Enter a user-friendly account name. For multiple accounts, the account name can be used in queries (more details below).
-- Enter the full URL noted above (e.g.: `https://app.scalyr.com` or `https://xdr.us1.sentinelone.net`).
+- Enter the full URL noted above (e.g.: `https://app.scalyr.com`, `https://xdr.us1.sentinelone.net` or `https://xdr.eu1.sentinelone.net`).
 - Enter the DataSet read key from above (required for searching)
 - Enter the DataSet write key from above (only required for alert actions).
 - Click Save
@@ -170,13 +174,15 @@ For use cases requiring data indexed in Splunk, optional inputs are provided uti
 An alert action allows sending an event to the DataSet [addEvents API](https://app.scalyr.com/help/api#addEvents).
 
 ## Support and troubleshooting
+SentinelOne Data Lake users are able to see meta logs, such as search actions, but no endpoint data in Splunk - Ensure the read API token was provisioned from an account, not Global.
+
 Error saving configuration "CSRF validation failed" - This is a Splunk browser issue; try reloading the page, using a private window or clearing cache and cookies then retrying.
 
 Search errors `Account token error, review search log for details` or `Splunk configuration error, see search log for details.` - API token was unable to be retrieved. Common issues include user role missing list_storage_passwords permission, API token not set or incorrect account name given that has not been configured. Review job inspector search log for errors returned by Splunk. `Error retrieving account settings, error = UrlEncoded('broken')` indicates a likely misconfigured or incorrect account name; `splunklib.binding.HTTPError: HTTP 403 Forbidden -- You (user=username) do not have permission to perform this operation (requires capability: list_storage_passwords OR admin_all_objects)` indicates missing Splunk user permissions (list_storage_passwords).
 
 To troubleshoot the custom command, check the Job Inspector search log, also available in the internal index: `index=_internal app="TA_dataset" sourcetype=splunk_search_messages`.
 
-For support, open a ticket with DataSet (or SentinelOne for XDR) support including any logged errors, or open a GitHub issue.
+For support, open a ticket with SentinelOne or DataSet support, including any logged errors.
 
 ## Additional Notes
 Though not typically an issue for users, DataSet does have [API rate limiting](https://app.scalyr.com/help/api#rateLimiting). If issues are encountered, open a case with support to review and potentially increase limits.