Skip to main content

Sumo Logic Copilot

note

If you need to opt out, please open a support ticket.

Sumo Logic Copilot is our AI-powered assistant that accelerates investigations and troubleshooting in logs by allowing you to ask questions in plain English and get contextual suggestions, helping first responders get to answers faster.

With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights.

Key features​

Copilot accelerates incident response by combining prebuilt contextual insights with natural language queries and enhancing time to insights for users across your organization. With sub-3-second response times with over 90% translation accuracy for most queries, Copilot ensures fast and dependable results for supported log sources.

  • Natural language queries. Ask questions in plain English.
  • Contextual suggestions. Get suggestions relevant to your troubleshooting and investigations context.
  • Conversation history. Save and resume troubleshooting or investigation sessions without losing context.
  • Auto-visualize. Copilot automatically generates charts from search results, which you can add directly to dashboards, reducing time and effort in data interpretation.
  • Log compatibility. Copilot supports structured logs, semi-structured logs (partial JSON), and unstructured logs (e.g., Palo Alto Firewall) when Field Extraction Rules (FERs) are applied. This ensures valuable insights across a variety of log formats.
  • Enhanced query experience. Auto-complete to streamline natural language queries.

Security and compliance​

Copilot leverages foundational models available through Amazon Bedrock. As a result, our Copilot compliance and security posture are inherited from Amazon Bedrock. For detailed information, refer to the following Amazon Bedrock security and compliance resources:

Additionally, all aspects of our service, including Copilot, adhere to the security and compliance requirements outlined in our service agreement or in individually negotiated contracts.

Who benefits from Copilot?​

Copilot is ideal for users of all skill levels:

  • On-call engineers. Accelerate time to resolution by surfacing key troubleshooting insights.
  • Security engineers. Obtain security insights rapidly for faster security incident resolution.
  • Early career professionals. Simplifies troubleshooting with natural language queries, making incident resolution accessible to those unfamiliar with query syntax.
  • Practitioners. Speeds up workflows with auto-complete and context-aware suggestions for frequent tasks.
  • Experts. Provides IDE-style assistance for crafting complex queries efficiently.

How to use Copilot​

In this section, you'll learn the recommended workflow for using Copilot effectively, along with best practices to maximize its benefits.

Step 1: Open Copilot​

To start using Copilot:

From the Classic UI, navigate to the Copilot tab.
Copilot tab

From the New UI, click Copilot in the left nav.
Copilot tab

Step 2: Review the auto-selected source​

Review the auto-selected Source Category and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration.

In this example, we'll select a source for AWS WAF. For indexes, type _index=<index name>. Autocompletion is supported for sources; type a few words, view source suggestions and pick one.

Copilot source category

Step 3: Execute a Suggestion​

Click on any of the prebuilt Suggestions prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific source you've chosen.

In this example, we'll click Count the number of log entries by the collector ID. This translates the insight to a log query and renders results.

Copilot time period

Step 4: Ask a question​

In the Ask Something... field, you can manually enter a natural language prompt similar to the prebuilt ones under Suggestions. In addition, use autocompletions if appropriate. Type a word in the search bar to trigger completions based on the keyword.

Copilot time period

Video: Autocomplete in action​

Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation".

Break your questions into smaller, specific requirements to help Copilot provide more accurate answers.
Copilot time period

Tips and tricks​

  • Start with a broad query. Begin with a query like Show me the most recent logs to understand the structure and available fields in your logs.
  • Disambiguate field names. If fields have similar names and cause confusion, explicitly specify the field (e.g., <field_name>) to improve accuracy.
  • Experiment with phrasing. Try multiple variations of a query to provide context and receive more relevant suggestions.
  • Include time or variations to add timeslice as a dimension. When timeslicing data, include the term time in your query. For example: Count requests, every 1m, different code challenges and user used during login attempts by time.
  • Explore context-aware suggestions. Use prompts like Calculate 95th percentile latency or Visualize request volumes over time to quickly surface key metrics.
  • Detect malicious activity. Try queries like Count register requests by 503 status code, IP, and threat confidence to uncover potential DDoS attacks.

Below are examples of how you can phrase queries if the autocompletions and contextual suggestions are not relevant to you:

  • Count logs by [field(s)] and Group logs by [field(s)] produce the same result
  • Sort by [field(s)] [in descending order]
  • Percentage by [field] values
  • Find [stat] for [field] (max, min, standard deviation, etc.)
  • Filter by [field] contains [keyword]
    note

    Keyword searches are case-sensitive.

  • Apply logreduce to logs

More examples:

  • Detecting malicious activity:
    Count logs by action. Sort the results.
    Filter results by action contains Malicious.
  • Advanced analysis with users and URLs:
    Count logs by action, url, user.
    Sort the results. Filter results by action contains Malicious.
  • Root cause analysis for latency:
    Calculate 95th percentile latency by service and API.

Additional prompts can trigger more advanced activities (e.g., mapping network activity against CrowdStrike):

  • Analyze risk and severity of network activity
  • Identify top application categories accessed

Time range​

By default, Copilot searches run with a 15-minute time range. If your search returns no results, consider expanding the time range.

  1. Click the clock icon and select your desired time range from the dropdown.
    Copilot time period
  2. Click the search button.
    Copilot search button

Chart type​

Copilot will automatically attempt to visualize your data. For example, a query like Top ip by geo will trigger a geo lookup and display the results on a map:

Copilot chart types

The following rules are used to deduce chart type:

  • If both latitude and longitude fields exist, it returns a MAP chart type.
  • If there is only one field and one record, it returns an SVP chart type. Example query: (_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | count
  • If a sort operator is present and there are string fields, it returns a TABLE. Given that there is a sort operator, probably the user is interested in count. Query: (_sourceCategory=ic/linux/gcp) | count by %"_sourcename" | sort by _count
  • If there is a _timeslice field, it returns a LINE chart type if there are numeric fields or a TABLE chart type if there are string fields.
  • If there is one string field, one numeric field, and record count is less than 6, it returns a PIE chart type. Query: (_sourceCategory=ic/linux/gcp) | count by %"_sourcename".
  • If there is one string field, less than 3 numeric fields, and record count is less than 20, it returns a LINE chart.
  • If none of the above conditions are met, it defaults to returning a TABLE chart type.

If required, select your preferred chart type, such as Table, Bar, Column, or Line view to visualize your results. You can also click Add to Dashboard to export an AI-generated dashboard for root cause analysis.

Copilot chart types

Edit query code​

You can manually edit your log search query code if needed.

  1. Click in the code editor field and edit your search. New to Sumo Logic query language? Learn more in the Search Query Language guide.
    Copilot time period
  2. When you're done, press Enter or click the search button.
    Copilot time period
tip

To save space, you can use the Hide Log Query icon to collapse the log query code.
Copilot time period

Compatible Log Formats​

Copilot querying is compatible with JSON logs, partial JSON logs, and unstructured logs with Field Extraction Rules. It cannot be used to query metrics or trace telemetry.

To retrieve a list of _sourceCategories with JSON data, use the following query:

_sourceCategory=* "{" "}"
| limit 10000 | logreduce keys noaggregate
| count by _sourceCategory, _schema
| where _schema != "unknown"
| sum(_count) by _sourceCategory

If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding { to the source expression to trigger Suggestions.
Copilot JSON formatting

History​

Conversation History saves all previous queries and suggestions, allowing you to backtrack and refine your investigation. For example, if a status code analysis yields inconclusive results, revisit earlier queries to explore other hypotheses.

This functionality comes in handy when you're working on multiple incidents at the same time. To view Copilot interactions related to an incident, click History.


Copilot History

You can resume a conversation in two ways:

  • Click the Resume conversation icon to pick up from the last query in a conversation.
    Copilot History
  • Click on the row in the conversation history, and then click the gray area on the right side to resume from a specific query in a conversation.
    Copilot History

New Conversation​

To start a fresh exploration, click New Conversation. This clears your current session and allows you to begin with a clean slate.
Copilot new conversation

Click the Open in Log Search icon, which will copy your query from Copilot over to a new log search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate.

Copilot open in log search

Example queries​

Logs for security​

In the video, Copilot is used to investigate a security issue involving the potential leak of AWS CloudTrail access keys outside the organization.

The video demonstrates how to use Copilot to analyze AWS CloudTrail data, review AI-curated suggestions, refine searches using natural language prompts, and generate an AI-driven dashboard for root cause analysis and sharing.

Cloud SIEM​

You are a SecOps engineer who uses Cloud SIEM. You are worried about a signal in Cloud SIEM regarding malicious network activity. You want to investigate network records and be proactive. You are under pressure to complete your investigation quickly. While familiar with Sumo Logic, you do not write log queries every day and could use a little help. Fortunately, all your Cloud SIEM records are in Sumo Logic.

  1. In Copilot, you type the source for Cloud SIEM network records:
    _index=sec_record_network
  2. You know what you are looking for. So, you ask:
    Count logs by action. Sort the results.
    Copilot tab
  3. As soon as you do that, you can look at the Suggestions section on the right. These suggestions are curated based on their relevance to this Cloud SIEM source. You pick a suggestion to compare results to the last hour:
    Count logs by action. Sort the results. versus the previous 1h
    Notice the system translated the suggestion to a log query and rendered results as a bar graph with no user input.
    Copilot tab
  4. Switching to table view, you notice "Malicious” in the search results. So, you add in Filter results by action contains Malicious to the query:
    Count logs by action. Sort the results. Filter results by action contains Malicious.
    Copilot tab
    note

    If Malicious doesn't work, try Malicious*. Sumo Logic is case sensitive.

  5. Next, you look for URLs that pertain to the malicious action:
    Count logs by action, url, user. Sort the results. Filter results by action contains Malicious.
    Copilot tab
  6. Even though the activity was blocked, you can investigate the affected users in the endpoint records next.

To summarize, you conclude there is malicious activity originating from certain users who need to be investigated further.

Role Based Access Control​

Role Based Access Control is not supported for contextual suggestions and autocompletions. It is possible for a user who is blocked by log search RBAC to view suggestions or completions for unpermitted source expressions. However, they will not be executed by the search.

Feedback​

We want your feedback! Let us know what you think by clicking the thumbs up or thumbs down icon and entering the context of your query.

Copilot feedback icons

You can also leave feedback on specific errors.

Copilot feedback icons

Opt out​

To opt out of Copilot, contact our support team.

Status
Legal
Privacy Statement
Terms of Use

Copyright Β© 2024 by Sumo Logic, Inc.