Sumo Logic Copilot - Feature Preview

Preview Release

This is a Preview release. To learn more, contact your Sumo Logic account executive.

Sumo Logic Copilot is an AI-based assistant designed to simplify log analysis by allowing you to ask questions in plain English and providing search suggestions without the need to write log queries.

Key features

• AI-curated insights. Get customized insights tailored to your data.
• Natural language queries. Ask questions in plain English.
• Pre-built insights. Utilize pre-built insights to accelerate your workflow.
• Root cause analysis. Quickly identify the root cause of issues with AI assistance.

Who benefits from Copilot?

Copilot is ideal for:

• On-call engineers. Accelerate time to resolution for application insights.
• Security engineers. Quickly obtain security insights.

How Copilot helps

Copilot combines pre-built insights with the ability to ask questions of your logs in natural English, helping you to:

• Find root causes faster. Use AI to quickly pinpoint issues.
• Enhance efficiency. Streamline the log analysis process.

How to use Copilot

In this section, you'll learn the recommended workflow for using Copilot effectively, along with best practices to maximize its benefits.

Step 1: Open Copilot

To start using Copilot, navigate to the Copilot tab on the Sumo Logic home page.

Step 2: Select a source category

Click Select Source Category - the source expression box - and type/select the data source of the log messages you want to investigate.

Step 3: Execute a prompt

Suggestions (recommended)

Under Suggestions > Explore, click on any of the prebuilt suggested prompts to start your investigation. For example:

Manual entry

tip

Because manually typing an AI prompt requires careful precision for optimal performance, we recommend clicking the prebuilt Suggestions prompts, which have been proven effective through extensive testing.

In the Ask Something... field, enter a natural language query prompt similar to the ones under Suggestions > Explore.

You'll need to be very specific. Broad questions do not return good results. When your question is framed as a query about a small, well-defined problem, Copilot answers more accurately.

note

If the statement in the Ask Something... field can't be translated into a query, this field will say "Failed translation".

Step 4: Refine your investigation

After executing a prompt, you'll see your current investigation summarized in plain text in the Ask Something... field. You can use these natural language query prompt ideas to launch and/or refine investigations.

Optionally, follow any of the below steps to refine your search.

Refine

Click any of the Suggestions > Refine prompts to apply suggested refinements to your existing investigation.

Progressive refinement

As a best practice, start with a simple prompt, verify the query translation, and refine it gradually. For example:

1. Initial prompt. Count of logs grouped by type.
2. Refinement. Count of logs grouped by type, reason, kind, name.
3. Next refinement. Count of logs grouped by type, reason, kind, name. Filter Logs where reason is FailedScheduling.
4. Further refinement. Count of logs grouped by type, reason, kind, name. Filter logs where reason is FailedScheduling. Filter logs that contain redis-cluster in name. Sort the results by count.

tip

Express your chain of thought to the AI by breaking up your prompt into smaller problems that the AI can answer more accurately. Click here to see an example.

Edit query code

If needed, you can edit your log search query code.

1. Click Show Log Query to show the current investigation as a log query.
   

2. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See Search Query Language to learn more.
   

   JSON formatting

   If your log query contains a mix JSON and non-JSON formatting, add { to the source expression to trigger Suggestions.
   

3. When you're done, click the Play icon.
   

   Limitations

   Copilot supports querying JSON logs only. You cannot use Copilot to query unstructured data, metrics, or traces. To get a list of _sourceCategories with JSON data, use the below query:

   _sourceCategory=* "{" "}"
   | limit 10000 | logreduce keys noaggregate
   | count by _sourceCategory, _schema
   | where _schema != "unknown"
   | sum(_count) by _sourceCategory

Chart type

Select your preferred chart type, such as Table, Bar, Column, or Line view, to visualize your results.

Time range

1. Click the clock icon and select your desired time range from the dropdown.
   
2. Click the search button.
   

Step 5: Open in Log Search

Click the Open in Log Search icon (insert pic), which will copy your query from Copilot over to a new Log Search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate.

If you'd like to start over and begin a new investigation, click the New Conversation icon.

Copilot example for Cloud SIEM

You are a SecOps engineer who uses Cloud SIEM. You are worried about a signal in Cloud SIEM regarding malicious network activity. Rather than wait for 14 days for an Insight to trigger, you want to investigate network records and be proactive. You are under pressure to complete your investigation quickly. While familiar with Sumo Logic, you do not write log queries every day and could use a little help. Fortunately, all your Cloud SIEM records are in Sumo Logic.

1. In Copilot, you type the source for Cloud SIEM network records:

   * _index=sec_record_network
2. You know what you are looking for. So, you ask:

   Count logs by action. Sort the results.
   
3. As soon as you do that, you can look at the Suggestions section on the right. These suggestions are curated based on their relevance to this Cloud SIEM source. You pick a suggestion to compare results to the last hour:

   Count logs by action. Sort the results. versus the previous 1h
   Notice the system translated the suggestion to a log query and rendered results as a bar graph with no user input.
   
4. Switching to table view, you notice “Malicious” in the search results. So, you add in Filter results by action contains Malicious to the query:

   Count logs by action. Sort the results. Filter results by action contains Malicious.
   
   note

   If Malicious doesn't work, try Malicious*. Sumo Logic is case sensitive.

5. Next, you look for URLs that pertain to the malicious action:

   Count logs by action, url, user. Sort the results. Filter results by action contains Malicious.
   
6. Even though the activity was blocked, you can investigate the affected users in the endpoint records next.

To summarize, you conclude there is malicious activity originating from certain users who need to be investigated further.

Feedback

We want your feedback! Let us know what you think by clicking the thumbs up or thumbs down icon. Optionally, you can also enter more context and information.