Merge pull request #4 from ZachChristensen28/docs/devel

version 1.0.1 updates

docs/index.md

@@ -30,9 +30,9 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-SA-CrowdstrikeDevices | 1.0.0 - [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
+SA-CrowdstrikeDevices | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/6573) [GitHub](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices)
 Splunk Enterprise Security Version <small>(Required)</small> | [7.x, 6.x](https://splunkbase.splunk.com/app/263)
 Crowdstrike Devices Add-on <small>(Required)</small> | [3.x](https://splunkbase.splunk.com/app/5570)
 Add-on has a web UI | No, this add-on does not contain views.
 
-[Quick Start](quickstart){ .md-button .md-button--primary }
+[Quick Start](quickstart/install){ .md-button .md-button--primary }

docs/quickstart/install.md

@@ -0,0 +1,32 @@
+# Install
+
+!!! important
+    This supporting add-on must be installed alongside Splunk Enterprise Security.
+
+For detailed information on where to install Splunk Apps/add-ons, including best practices, can be found at [Splunk Docs: About Installing Splunk add-ons](https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall)
+
+## Standalone Deployments (with Splunk ES)
+
+Install this add-on to the single instance. For more information see [Splunk Docs: Install add-on in a single-instance Splunk deployment](https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall)
+
+## Distributed Deployments
+
+Splunk Instance type | Supported | Required | Comments
+-------------------- | --------- | -------- | --------
+Enterprise Security Search Head | Yes | Yes | Install this add-on to the Enterprise Security Search Head.
+Splunk Core Search Head (without ES) | No | No | Do not install on regular search heads.
+Indexers | No | No | Do not install on Indexers.
+Heavy Forwarders | No | No | Do not install on Heavy Forwarders.
+Universal Forwarders | No | No | Do not install on Universal Forwarders.
+
+The installation steps for deploying Apps/add-ons in a distributed environment can be found at [Splunk Docs: Install an add-on in a distributed Splunk deployment](https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall)
+
+## Distributed Deployment Compatibility
+
+Distributed deployment feature | Supported | Comments
+------------------------------ | --------- | --------
+Search Head Clusters | Yes | You can install this add-on to an Enterprise Security search head cluster.
+Indexer Clusters | No | Do not deploy this add-on to an Indexer cluster.
+Deployment Server | No | There is no need to use a deployment server to deploy this add-on.
+
+\* For more information, see Splunk's [documentation](https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons) on installing Add-ons.

docs/releases/index.md

@@ -1,6 +1,6 @@
 # Release notes
 
-## v1.0.0 <small>August 25, 2022</small>
+## v1.0.1 <small>August 25, 2022</small>
 
 ### Compatibility
 
@@ -11,6 +11,7 @@ Splunk Enterprise Security version | [7.x, 6.x](https://splunkbase.splunk.com/ap
 Crowdstrike Device Add-on Version | [3.x](https://splunkbase.splunk.com/app/5570)
 
 - Initial Release
+- Hotfix for missing `_key` field in saved search.
 
 ## Known issues
 

docs/releases/release-history.md

@@ -0,0 +1,5 @@
+# Release history
+
+## v1.0.0 <small>August 25, 2022</small>
+
+- Initial Release

docs/troubleshooting/index.md

@@ -0,0 +1,7 @@
+# Troubleshooting
+
+There can be many issues when setting up a new app/add-on in Splunk. Below highlights the most common issues with this Add-on. Don't see your issue? Submit a new issue on [Github](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues).
+
+Issue | Description | Solution
+----- | ----------- | --------
+Multiple asset merge | It is possible that some of your devices share a common mac address or another key field which will cause merging by default. | If Crowdstrike is your only asset source you can disable asset merge under global settings. See [Asset Merge Solution](./solution-guides/asset-merge) for more information.

docs/troubleshooting/solution-guides/asset-merge.md

@@ -0,0 +1,6 @@
+# Asset Merge
+
+It may be possible that your devices share a common mac address or another key field that is causing an erroneous merge of your assets. If Crowdstrike is your only data source for assets, you can disable asset merge in the global settings.
+
+1. In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings.
+1. Toggle off "Assets" under `Enable Merge for Assets or Identities`.

mkdocs.yml

@@ -69,7 +69,9 @@ extra:
 
 nav:
   - Home: index.md
-  - Quick Start: quickstart/index.md
+  - Quick Start:
+      - Install: quickstart/install.md
+      - Quickstart: quickstart/quickstart.md
   - Configure:
       - configure/index.md
       - Update Priority: configure/priority.md
@@ -80,6 +82,10 @@ nav:
       - Asset Database mapping: reference/asset-mapping.md
       - Crowdstrike Fields:
           - Categories: reference/category.md
+  - Troubleshooting:
+      - troubleshooting/index.md
+      - Solutions Guide:
+          - Asset Merge: troubleshooting/solution-guides/asset-merge.md
   - Release Notes:
       - Release Notes: releases/index.md
-      # - Release History: reference/releases/release-history.md
+      - Release History: releases/release-history.md