Skip to main content

Sumo Logic Copilot - Feature Preview

Preview Release

This is a Preview release. To learn more, contact your Sumo Logic account executive.

Sumo Logic Copilot is an AI-powered assistant that accelerates investigations and troubleshooting in logs by allowing you to ask questions in plain English and get contextual suggestions, helping first responders get to answers faster.

With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights.

Key features

Copilot reduces manual effort by combining prebuilt insights with natural language query analysis.

  • Natural language queries. Ask questions in plain English—no need to enter query syntax.
  • Contextual suggestions. Automated suggestions to accelerate your workflow.
  • Conversation history. Save and resume any troubleshooting session without losing context.
  • Auto-visualize. Copilot renders charts based on search results automatically. These charts can be added to dashboards from within Copilot.

Copilot leverages foundational models available through Amazon Bedrock. As a result, our Copilot compliance and security posture are inherited from Amazon Bedrock. For detailed information, refer to the following Amazon Bedrock security and compliance resources:

Additionally, all aspects of our service, including Copilot, adhere to the security and compliance requirements outlined in our service agreement or in individually negotiated contracts.

Who benefits from Copilot?

Copilot is ideal for:

  • On-call engineers. Accelerate time to resolution by surfacing key troubleshooting insights.
  • Security engineers. Obtain security insights rapidly for faster security incident resolution.

How to use Copilot

In this section, you'll learn the recommended workflow for using Copilot effectively, along with best practices to maximize its benefits.

Step 1: Open Copilot

To start using Copilot:

From the Classic UI, navigate to the Copilot tab on the Sumo Logic home page.
Copilot tab

From the New UI, click Copilot in the left nav.
Copilot tab

Step 2: Review the auto-selected source

Review the auto-selected Source Category and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration. In this example, we'll select a source for AWS WAF.

Copilot source category

Step 3: Execute a Suggestion

Click on any of the prebuilt Suggestions prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific data source you've chosen.

In this example, we'll click Count the number of log entries by the collector ID. This translates the insight to a log query and renders results.

Copilot time period

Manual entry (not recommended)

In the Ask Something... field, you can manually enter a natural language prompt similar to the prebuilt ones under Suggestions.

Copilot time period

Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation".

Break your questions into smaller, specific prompts to help Copilot provide more accurate answers.
Copilot time period

Time range

By default, Copilot searches run with a 15-minute time range. If your search returns no results, consider expanding the time range.

  1. Click the clock icon and select your desired time range from the dropdown.
    Copilot time period
  2. Click the search button.
    Copilot search button

Chart type

Copilot will automatically attempt to visualize your data. For example, a query like Top ip by geo will trigger a geo lookup and display the results on a map:

Copilot chart types

The following rules are used to deduce chart type:

  • If both latitude and longitude fields exist, it returns a MAP chart type.
  • If there is only one field and one record, it returns an SVP chart type. Example query: (_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | count
  • If a sort operator is present and there are string fields, it returns a TABLE. Given that there is a sort operator, probably the user is interested in count. Query: (_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | sort by _count
  • If there is a _timeslice field, it returns LINE chart type if there are numeric fields or a TABLE chart type if there are string fields.
  • If there is one string field, one numeric field, and record count is less than 6, it returns a PIE chart type. Query: (_sourceCategory=ic/linux/gcp) | count by %"_sourcename".
  • If there is one string field, less than 3 numeric field, and record count is less than 20, it returns a LINE chart.
  • If none of the above conditions are met, it defaults to returning a TABLE chart type.

If required, select your preferred chart type, such as Table, Bar, Column, or Line view to visualize your results. You can also click Add to Dashboard to export an AI-generated dashboard for root cause analysis.

Copilot chart types

Edit query code

You can manually edit your log search query code if needed.

JSON Syntax Rules
  • Copilot supports querying JSON logs only. It cannot be used to query unstructured data, metrics, or traces. To retrieve a list of _sourceCategories with JSON data, use the following query: 
    _sourceCategory=* "{" "}"
    | limit 10000 | logreduce keys noaggregate
    | count by _sourceCategory, _schema
    | where _schema != "unknown"
    | sum(_count) by _sourceCategory
  • If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding { to the source expression to trigger Suggestions.
    Copilot JSON formatting
  1. Click in the code editor field and edit your search. Not familiar with Sumo Logic query language? See Search Query Language to learn more.
    Copilot time period
  2. When you're done, press Enter or click the search button.
    Copilot time period
tip

To save space, you can use the Hide Log Query icon to collapse the log query code.
Copilot time period

History

Often, users work on multiple incidents at the same time. To view Copilot interactions related to these incidents, click History.
Copilot History

You can resume a conversation in two ways:

First, the Resume conversation icon picks up from the last query in a conversation.
Copilot History

Second, you can resume from a specific query in a conversation by clicking on the row in the conversation history and then clicking on the gray area on the right side, as shown below.
Copilot History

New Conversation

To start a new exploration, click New Conversation.
Copilot new conversation

Click the Open in Log Search icon, which will copy your query from Copilot over to a new log search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate.

Copilot open in log search

Example queries

Logs for security

In the video, Copilot is used to investigate a security issue involving the potential leak of AWS CloudTrail access keys outside the organization.

The video demonstrates how to use Copilot to analyze AWS CloudTrail data, review AI-curated suggestions, refine searches using natural language prompts, and generate an AI-driven dashboard for root cause analysis and sharing.

Cloud SIEM

You are a SecOps engineer who uses Cloud SIEM. You are worried about a signal in Cloud SIEM regarding malicious network activity. You want to investigate network records and be proactive. You are under pressure to complete your investigation quickly. While familiar with Sumo Logic, you do not write log queries every day and could use a little help. Fortunately, all your Cloud SIEM records are in Sumo Logic.

  1. In Copilot, you type the source for Cloud SIEM network records: 
    * _index=sec_record_network
  2. You know what you are looking for. So, you ask: 
    Count logs by action. Sort the results.
    Copilot tab
  3. As soon as you do that, you can look at the Suggestions section on the right. These suggestions are curated based on their relevance to this Cloud SIEM source. You pick a suggestion to compare results to the last hour: 
    Count logs by action. Sort the results. versus the previous 1h
    Notice the system translated the suggestion to a log query and rendered results as a bar graph with no user input.
    Copilot tab
  4. Switching to table view, you notice “Malicious” in the search results. So, you add in Filter results by action contains Malicious to the query: 
    Count logs by action. Sort the results. Filter results by action contains Malicious.
    Copilot tab
    note

    If Malicious doesn't work, try Malicious*. Sumo Logic is case sensitive.

  5. Next, you look for URLs that pertain to the malicious action: 
    Count logs by action, url, user. Sort the results. Filter results by action contains Malicious.
    Copilot tab
  6. Even though the activity was blocked, you can investigate the affected users in the endpoint records next.

To summarize, you conclude there is malicious activity originating from certain users who need to be investigated further.

Feedback

We want your feedback! Let us know what you think by clicking the thumbs up or thumbs down icon and entering the context of your query.

Copilot feedback icons

You can also leave feedback on errors.

Copilot feedback icons
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.