From 616c951308eb82614afc844265c3be6e5903aff7 Mon Sep 17 00:00:00 2001 From: Jagadisha V Date: Fri, 8 May 2026 15:30:58 +0530 Subject: [PATCH] DOCS-1601 - Remove accordion tags from FAQ sections and update style guide Removed
and accordion tags from FAQ sections across 7 documentation files (67 total accordions). FAQ content is now displayed as bold headings followed by visible answers, improving accessibility, SEO, and AI citation capabilities. Updated the style guide with comprehensive guidance on when to use and NOT use collapsible sections: - Added table format with clear DO/DON'T guidelines for 10 use cases - Documented that accordion tags violate GEO (Generative Engine Optimization) principles - Explained that AI tools cannot properly cite content hidden in accordions - Added requirement for title attribute in
tags for accessibility - Provided proper FAQ formatting examples - Preserved existing visual examples Changes: - Converted 67 FAQ accordion items to visible bold format - Updated 7 FAQ documentation files - Enhanced style guide with table-based guidance - Added GEO and AI citation best practices Co-Authored-By: Claude Sonnet 4.5 --- .../set-up-webhook-connections.md | 7 +- docs/api/mcp-server.md | 21 +--- docs/contributing/style-guide.md | 39 +++++- .../soc-analyst-agent.md | 37 ++---- docs/get-started/ai-machine-learning.md | 45 ++----- docs/get-started/sumo-logic-ui.md | 26 +--- docs/search/mobot.md | 98 ++++----------- ...crosoft-graph-azure-ad-reporting-source.md | 7 +- .../universal-connector-source.md | 115 ++++++++---------- 9 files changed, 144 insertions(+), 251 deletions(-) diff --git a/docs/alerts/webhook-connections/set-up-webhook-connections.md b/docs/alerts/webhook-connections/set-up-webhook-connections.md index c35be5e717..b77c8ceb40 100644 --- a/docs/alerts/webhook-connections/set-up-webhook-connections.md +++ b/docs/alerts/webhook-connections/set-up-webhook-connections.md @@ -98,8 +98,7 @@ All variables are case-insensitive. | `{{AlertResponseUrl}}` | When your Monitor is triggered, it will generate a URL and provide it as the value of this variable where you can use it to open Alert Response. | ✓ | ✓ | -
-Legacy variables +**Legacy variables** This section provides the old variables available for alert notifications from Metrics Monitors and Scheduled Searches. The following table shows where the old variables are supported. @@ -126,10 +125,6 @@ We recommend using the new common variables instead of these legacy variables, w | `The ID of the triggered alert.` | Current status of the time series that triggered (for example, Critical or Warning). | ✓ | | | `{{AlertCondition}}` | The condition that triggered the alert. | | | -
- - - ### Example payloads #### Slack payload diff --git a/docs/api/mcp-server.md b/docs/api/mcp-server.md index f200768b8d..7cd2c0adda 100644 --- a/docs/api/mcp-server.md +++ b/docs/api/mcp-server.md @@ -99,16 +99,15 @@ UI support for this step is not yet available. You'll need to use the Sumo Logic ::: 1. [Get a list of available OAuth `scopes`](https://api.sumologic.com/docs/#operation/listOAuthScopes) and decide which ones you'd like to assign to your OAuth client. The `scopes` you request here must already be included in your service account's `effectiveScopes` field. -
- How are scopes enforced? + :::note + How are scopes enforced? The permissions granted to an OAuth client are limited to the intersection of: * The roles (RBAC capabilities) assigned to the service account. * The scopes assigned to the OAuth client. This prevents privilege escalation. If the service account's roles are restricted in the future, the OAuth client's effective permissions are automatically reduced as well. If a requested scope is not included in the service account's roles, it will be silently excluded from the OAuth client's effective permissions. - -
+ ::: 1. [Create a new OAuth client](https://api.sumologic.com/docs/#operation/createOAuthClient) using the `scopes` you selected in the previous step. `"runAsId"` will be the `"id"` of the service account you created [in step 1](#step-1-create-a-service-account). ```bash title="Example request" curl -u ":" \ @@ -651,15 +650,11 @@ For detailed guidance on securing MCP against cost-based attacks, see our blog p ## FAQ -
-Can MCP handle multiple operations in a single request? +**Can MCP handle multiple operations in a single request?** Yes. MCP supports multi-tool calls within a single conversational interaction. -
- -
-How does this affect my Sumo Logic usage? +**How does this affect my Sumo Logic usage?** This capability in closed beta requires an AI Addendum. Contact your account representative for pricing information. @@ -667,11 +662,7 @@ This capability in closed beta requires an AI Addendum. Contact your account rep For bulk data retrieval or model training, the [Search Job API](/docs/api/search-job) remains the preferred option. ::: -
- -
-Where does my agent run? +**Where does my agent run?** Agents connected via MCP run in your own environment, not within Sumo Logic infrastructure. -
diff --git a/docs/contributing/style-guide.md b/docs/contributing/style-guide.md index 0f54f66bc3..b0ef883336 100644 --- a/docs/contributing/style-guide.md +++ b/docs/contributing/style-guide.md @@ -417,9 +417,42 @@ You'll see this used in our [C2C source docs](/docs/send-data/hosted-collectors/ Use the Docusaurus [Details](https://docusaurus.io/docs/next/markdown-features#details) feature to collapse long, additional content and long code samples. When collapsed, the content can be searched, but not displayed, when loading a page. Place long lists or lots of content in this section. The reader can expand/collapse as needed. Important content like required steps and instructions should not be placed in an expander. -You can include markdown content in expanders including code samples, embedded videos, bulleted lists, and more. +### When to use and when NOT to use `
` tags + +| Use Case | ✅ DO Use | ❌ DO NOT Use | Why | +|:---------|:----------|:--------------|:----| +| **FAQ Sections** | | ❌ Never | **Against GEO principles**: Hidden content negatively impacts Generative Engine Optimization and search visibility. **AI citation fails**: AI tools and search engines cannot properly cite or reference content hidden inside accordion components. FAQ content must be immediately visible and scannable. | +| **Troubleshooting Sections** | | ❌ Never | Users searching for solutions need immediate visibility of troubleshooting steps. Hidden content creates friction and poor user experience. | +| **Critical Instructions** | | ❌ Never | Required steps, warnings, or important information must always be visible. Users should not need to click to reveal essential information. | +| **Short Content** | | ❌ Avoid | If collapsed content is only 2-5 lines, keep it visible. The expand/collapse interaction adds unnecessary friction. | +| **Primary Documentation Flow** | | ❌ Avoid | Main concepts and procedures should not be hidden behind accordions. Core content must be scannable. | +| **Long Code Samples** | ✅ Yes | | Code samples over 100 lines of JSON, YAML, or configuration examples benefit from collapsing to reduce page scrolling. | +| **Multiple Installation Methods** | ✅ Yes | | When documenting 3+ installation methods (UI installer, command-line, package managers), collapse each method so users can choose their preferred approach. | +| **API Endpoint Documentation** | ✅ Yes | | Collapse detailed request parameters, response formats, and examples to keep API reference pages scannable. | +| **Alternative Configuration Options** | ✅ Yes | | When showing different setup paths or service configurations (e.g., AWS regions, authentication methods), collapse alternatives to reduce clutter. | +| **Sample Log Formats** | ✅ Yes | | Lengthy log examples (50+ lines) that users reference occasionally should be collapsed. | + +:::warning Important +Using `
` tags for FAQ and troubleshooting content violates **Generative Engine Optimization (GEO)** best practices and prevents AI tools from properly citing your documentation. Always keep FAQ and troubleshooting content visible. +::: + +#### How to use collapsible sections + +When using `
` tags for appropriate content (see table above), follow these guidelines: + +1. **Always include a descriptive title** in the `` tag. This title should clearly describe what content is collapsed. +2. **Add the `title` attribute** to the `
` tag for better accessibility and SEO. +3. You can include markdown content in expanders including code samples, embedded videos, bulleted lists, and more. +4. Add all content after the `` tags and before the closing `
` tag. + +```markdown +
+Install Using the Command-Line Installer -Add a title for the expander between the `` tags. Then, add all content after `` tags and before the closing `
` tags. +Your installation steps and code samples go here... + +
+``` ` tags. Then, add all content - - ## Contractions Using contractions contributes to our goals of striking a conversational, friendly tone. diff --git a/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md b/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md index a95acf7f7b..f2b01ca554 100644 --- a/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md +++ b/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md @@ -101,47 +101,33 @@ Click the provided link to view the dashboard:
-What is the Sumo Logic SOC Analyst Agent? +**What is the Sumo Logic SOC Analyst Agent?** The SOC Analyst Agent is part of the [Sumo Logic Dojo AI](/docs/get-started/ai-machine-learning/#dojo-ai). The SOC Analyst Agent is an assistant that applies agentic AI reasoning to triage and investigation tasks. It correlates alerts, weighs patterns against frameworks like MITRE ATT&CK, and renders evidence-backed verdicts, providing analysts an immediate sense of threat impact. When deeper analysis is required, the same agent supports hypothesis-based investigation to map relationships, connect entities, and summarize findings. -
-
-What are the benefits of the agent? +**What are the benefits of the agent?** Security teams spend too much time validating false positives and performing repetitive investigative steps. By embedding reasoning and context-awareness directly into Cloud SIEM, the SOC Analyst Agent eliminates noise, standardizes outcomes, and accelerates time to resolution. -
-
-Will the agent increase scanning or data-processing costs? +**Will the agent increase scanning or data-processing costs?** No. The agent analyzes existing data already ingested into Cloud SIEM. It performs reasoning on metadata and contextual signals rather than initiating new scans. -
- -
-How does the agent differ from Cloud SIEM correlation or automation rules? +**How does the agent differ from Cloud SIEM correlation or automation rules?** Unlike traditional correlation logic, which is static, the SOC Analyst Agent applies agentic reasoning. It adapts based on insight context, recent analyst actions, and environmental signals, producing contextual, explainable decisions rather than fixed pattern matches. -
-
-What data does the agent rely on to render verdicts? +**What data does the agent rely on to render verdicts?** The agent draws from normalized security data (`sec_record*` indexes and signals), correlated entities, Sumo Logic’s integrated threat intelligence feeds, and enrichment data (for example, IP geolocation, user behavior, and asset details). -
-
-Can analysts provide feedback or correct AI verdicts? +**Can analysts provide feedback or correct AI verdicts?** Yes. Analysts can override verdicts and flag feedback within the UI. These actions are logged and reviewed to refine model behavior over time as part of the Dojo AI learning loop. -
### FAQs for preview -
-How does investigation rate limiting work? +**How does investigation rate limiting work?** To ensure stable performance, the agent performs system-wide rate limiting, which imposes usage controls across the entire SOC Analyst Agent user base to manage capacity. As a result, automatic investigation may skip some insights if investigating them would exceed rate limits. The skipped insights show **Not Investigated** in the **AI Verdicts** column. However, in these instances, you can manually start an investigation of the insight by clicking the **Investigate** button. @@ -152,19 +138,14 @@ The rate limits for your organization are: Be aware, though, that if you have reached your limit of the total number of insights that you can get AI verdicts for in a certain time period, a message will appear telling you when you can next click the **Investigate** button to manually initiate an AI investigation. If you have questions about the AI investigation rate limiting for your organization, ask your Sumo Logic representative. -
-
-Does the agent automatically investigate things that are not entities in Cloud SIEM? +**Does the agent automatically investigate things that are not entities in Cloud SIEM?** Traditional Cloud SIEM entities are items like users, IP addresses, hosts, and the like. In addition to these, the agent automatically investigates things that are not usually identified as entities in Cloud SIEM, such as related cloud resources, API endpoints, or service accounts relevant to the insight. This intelligent entity prioritization results in faster investigation and reduces time spent manually determining which entities to investigate. -
-
-Can I converse with the agent in the same way I am used to doing with other AI-enabled tools? +**Can I converse with the agent in the same way I am used to doing with other AI-enabled tools?** Yes, you can. In your investigation, you are not limited in how you proceed. You can engage the agent in a conversational flow to direct the investigation any way you want. However, the agent has many tools that can help should you need guidance. For example, the agent presents follow-up questions after each step that offer you multiple paths for investigation. -
## Additional resources diff --git a/docs/get-started/ai-machine-learning.md b/docs/get-started/ai-machine-learning.md index 028a757bc1..5cecb739c5 100644 --- a/docs/get-started/ai-machine-learning.md +++ b/docs/get-started/ai-machine-learning.md @@ -22,8 +22,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; Sumo Logic’s AI capabilities span from classical machine learning to generative and agentic AI. At the center is Dojo AI, our multi-agent platform that brings specialized agents into security and observability workflows. This page covers all of these capabilities: what they do, how they work together, and how to get started. -
-What do these terms mean? +**What do these terms mean?** **Artificial intelligence (AI)** encompasses machines that mimic human-like intelligence, leveraging algorithms to compute tasks efficiently. It includes machine learning, deep learning, generative AI, and agentic AI. @@ -37,8 +36,6 @@ Sumo Logic’s AI capabilities span from classical machine learning to generativ **Pattern learning** is fundamental to machine learning and deep learning, where algorithms discern patterns in data to make predictions or classifications. -
- ## Dojo AI Dojo AI is Sumo Logic’s multi-agent AI platform, bringing specialized agents across security and observability workflows. Agents work together to detect threats, investigate incidents, explore data, and answer platform questions, with a human in the loop at every step. Dojo AI is built and deployed on AWS and is available through Sumo Logic and in AWS Marketplace. [Learn more](https://www.sumologic.com/solutions/dojo-ai). @@ -127,16 +124,13 @@ The [Global Intelligence Service](/docs/integrations/global-intelligence) apps p ### General -
-Can I opt out of AI features? +**Can I opt out of AI features?** Yes. You can opt out of specific AI features at any time by submitting a support ticket. -
### Security and privacy -
-Do Dojo AI agents access customer data? +**Do Dojo AI agents access customer data?** Agent interaction with customer data varies by capability. @@ -149,10 +143,8 @@ Any AI capability that processes customer data: - Requires execution of the applicable AI addendum to the client agreement Customers retain control over whether these data-processing capabilities are enabled in their environment. -
-
-What types of customer data or PII does the AI process? Does it filter sensitive information? +**What types of customer data or PII does the AI process? Does it filter sensitive information?** Sumo Logic AI capabilities follow strict legal, compliance, and security standards to ensure data minimization and fit-for-purpose processing. @@ -161,10 +153,8 @@ Sumo Logic AI capabilities follow strict legal, compliance, and security standar - Sumo Logic applies strong safeguards and filtering to ensure sensitive data is handled securely and appropriately at all times. Capabilities that process customer data, including the SOC Analyst Agent (currently in Public Preview), are available only through explicit customer opt-in and require execution of the applicable AI addendum. These capabilities are never automatically provisioned. -
-
-Is customer data or PII used to train AI models? +**Is customer data or PII used to train AI models?** No. Customer data is never used to train AI models. @@ -173,10 +163,8 @@ All Sumo Logic AI capabilities are designed to serve customer-specific outcomes Traditional ML features, such as AI-driven alerts, generate models specific to each customer's environment and are never shared or made public. For more information, see [Security and Compliance](/docs/manage/security). -
-
-Does any third party have access to Dojo AI customer data? +**Does any third party have access to Dojo AI customer data?** Dojo AI leverages foundation models securely hosted through Amazon Bedrock. When customer data is processed using Amazon Bedrock: @@ -187,10 +175,8 @@ Dojo AI leverages foundation models securely hosted through Amazon Bedrock. When - Customer inputs and outputs are not shared with model providers and are not used to train external models. Customer data processed through Dojo AI remains within Sumo Logic's secure environment and is used only to deliver results for that customer. It is not used to train foundation models or shared with model providers. -
-
-How long does Dojo AI store customer data, and how is it deleted? +**How long does Dojo AI store customer data, and how is it deleted?** Dojo AI and classical ML features store data only temporarily to optimize performance: @@ -198,45 +184,36 @@ Dojo AI and classical ML features store data only temporarily to optimize perfor - Mobot may temporarily retain query history in a rolling window to improve conversational context and response accuracy. All stored data follows Sumo Logic's data retention and deletion policies, ensuring customer information is never retained longer than necessary. -
### Technical -
-Does Sumo Logic AI use open-source libraries, generative AI providers, or cloud services? +**Does Sumo Logic AI use open-source libraries, generative AI providers, or cloud services?** Yes. Dojo AI leverages foundation models securely hosted through Amazon Bedrock. -
-
-Does Sumo Logic hold any AI-specific certifications or accreditations? +**Does Sumo Logic hold any AI-specific certifications or accreditations?** Sumo Logic is currently reviewing AI compliance within a rapidly evolving framework, in particular ISO 42001, designed to help organizations implement AI responsibly. Sumo Logic AI capabilities operate within our existing industry-recognized security and compliance framework, including FedRAMP Moderate, SOC 2 Type 2, HIPAA, PCI DSS 4.0.1, and ISO 27001:2022. These attestations govern the confidentiality, integrity, and protection of customer data. Availability of specific AI capabilities may vary by deployment region (including FED) based on compliance boundary requirements. -
-
-Which Dojo AI capabilities are available in FED? +**Which Dojo AI capabilities are available in FED?** The current GA versions of Mobot (including Query Agent and Knowledge Agent) and Summary Agent are available in the FED deployment. The SOC Analyst Agent and certain newer Dojo AI capabilities are not currently available in FED. These capabilities depend on underlying model configurations that do not yet meet the requirements of our FED compliance boundary. Sumo Logic is actively evaluating future availability of these capabilities in FED as underlying model support and compliance requirements evolve. -
-
-What types of model reviews are conducted? +**What types of model reviews are conducted?** The generative AI model is licensed and securely hosted via Amazon Bedrock, meaning it is not directly accessible by Sumo Logic, customers, or third parties. All new AI capabilities and features undergo comprehensive legal, compliance, and application security reviews before release to ensure data protection, privacy, and regulatory alignment. Recurring reviews are also conducted with every major update, particularly when a capability introduces new analytics or processes previously unused data types, to maintain ongoing trust and compliance. -
## Additional resources diff --git a/docs/get-started/sumo-logic-ui.md b/docs/get-started/sumo-logic-ui.md index 1053514671..963ec0421c 100644 --- a/docs/get-started/sumo-logic-ui.md +++ b/docs/get-started/sumo-logic-ui.md @@ -207,33 +207,26 @@ You'll need Sumo Logic Administrator role privileges to perform most of these t This FAQ provides answers to common questions about the Sumo Logic UI redesign, which involves transitioning from the legacy Classic UI to the New UI. -
-Q: What is being launched? +**What is being launched?** We are excited to introduce the Sumo Logic Unified Experience, internally known as Project Kanso, inspired by the Japanese principle of simplicity and clutter elimination. This initiative integrates the capabilities of our Log Analytics, Cloud SIEM, and Cloud SOAR into a unified navigation system. Alongside this integration, we have implemented several user interface enhancements to make all Sumo Logic features more accessible and user-friendly. -
-
-Q: What issues does the New UI resolve? +**What issues does the New UI resolve?** The disparate user interface and varying navigation patterns among Log Analytics, Cloud SIEM, and Cloud SOAR have made it challenging for users to effectively utilize these tools together for monitoring and troubleshooting. The current information architecture and navigation system have not effectively showcased useful functionalities to users. It's structured around tools like Traces, Log Search, and Metric Search rather than focusing on user-centric use cases. This places a burden on users to discover these functionalities. In-app tabs present performance and usability challenges since they all operate within a single browser tab. These tabs disrupt native browser navigation features like the back button and tab grouping. The New UI navigation lets you leverage native browser capabilities and customize tab organization according to your preferences. -
-
-Q: What changes have been implemented that enhance my Sumo Logic experience? +**What changes have been implemented that enhance my Sumo Logic experience?** * **Unified Navigation**. You'll now notice a uniform navigation system across Log Analytics, Cloud SIEM, and Cloud SOAR products, ensuring a consistent experience for Sumo Logic users engaged in both observability and security use cases. * **Improved Product Discoverability**. The left nav panel now organizes product features in a solution-centric manner, emphasizing key use cases like infrastructure monitoring, application monitoring, log analysis, security monitoring, and analytics. This reorganization aims to facilitate easier access to Sumo Logic's product features. * **Enhanced Browsing Experience and Accelerated Performance**. In-app tabs will be replaced with native browser tabs, significantly improving _First Contentful Paint_ (FCP) and _Time to Interactive_ (TTI) metrics. With this change, you'll experience faster page load times and ability to organize tabs the way you are used to with other applications. * **Stateful URLs**. Most of the page URLs will now be stateful, allowing you to easily share content with your team members. Any changes made in the UI will be reflected in the URL parameters, making it simple for you to copy and share URLs. Additionally, this feature enables users to navigate back to previous states effortlessly by using the browser. -
-
-Q: With all Sumo Logic tabs being grouped together in one browser tab, how can I prevent an excessive amount of tabs in my browser? +**With all Sumo Logic tabs being grouped together in one browser tab, how can I prevent an excessive amount of tabs in my browser?** We understand that the removal of in-app tabs in the New UI is a significant change in our user workflow, eliciting mixed feedback. While some users appreciate the convenience of consolidated tabs within the app, others question the need for this change. Addressing performance concerns, consolidating tabs aims to reduce browser clutter, albeit potentially complicating session management. For users who prefer centralized Sumo Logic tabs, we recommend utilizing [tab grouping functionality](#customize-your-environment-withtabs) for a seamless experience. @@ -244,20 +237,15 @@ We understand that the removal of in-app tabs in the New UI is a significant cha | Performance degrades over long usage because user is using one browser tab. | Memory usage is distributed over different tabs. | | Tab switches reload the tab. | Tab switches won’t reload the tab. This will accelerate time to load, which is especially useful for data-rich features like Dashboards. | -
- -
-Q: Will the New UI retain the Classic UI feature of remembering previously opened tabs from my previous session? +**Will the New UI retain the Classic UI feature of remembering previously opened tabs from my previous session?** After analyzing tab usage data, we've found that a minimal portion of previously opened tabs are actively utilized by our users. Consequently, the Sumo Logic UI often remains cluttered with multiple unused tabs. With the introduction of the New UI experience, if you fail to close browser tabs from previous sessions, they will automatically reload upon login. Tab reload Moreover, we've made the **Recents** feature more prominent in the navigation bar and plan to extend it to other content types which will make it easier for users to open recently opened tabs. -
-
-Q: How do I access the Classic UI? +**How do I access the Classic UI?** The New UI is the future of Sumo Logic, offering better performance, easier navigation, and exclusive new features. While we understand that transitions take time, we strongly recommend using the New UI for the best experience. @@ -273,8 +261,6 @@ The Classic UI will be retired in 2025 and will no longer receive updates. The e We encourage you to stay in the New UI and take advantage of its benefits! -
- ## Get support For questions or issues, contact [Support](https://support.sumologic.com/) or join our [Sumo Logic Slack](https://sumodojo.slack.com/) channel. diff --git a/docs/search/mobot.md b/docs/search/mobot.md index 39b2e6bf7e..ac98e084c6 100644 --- a/docs/search/mobot.md +++ b/docs/search/mobot.md @@ -462,72 +462,51 @@ Additionally, all aspects of our service, including Mobot, adhere to the securit ### General -
-What is Sumo Logic Mobot? +**What is Sumo Logic Mobot?** Mobot is an AI assistant integrated into the Sumo Logic Log Analytics Platform. It enables natural language queries and contextual troubleshooting, helping users extract actionable insights from logs. Mobot does not process or share your log data with any third party. -
-
-Can I use Mobot to analyze unstructured logs? +**Can I use Mobot to analyze unstructured logs?** Yes, Mobot can extract relevant insights from unstructured logs, provided Field Extraction Rules (FERs) are applied. It also supports semi-structured logs (JSON + unstructured payloads). -
-
-Does Mobot save search history? +**Does Mobot save search history?** Yes, Mobot retains conversation and search history, allowing you to resume investigations with context and continuity. -
-
-What role does AI play in Mobot? +**What role does AI play in Mobot?** Mobot uses AI to interpret natural language queries and recommend search results or query refinements, streamlining log analysis. -
-
-How can I opt out of Mobot? +**How can I opt out of Mobot?** If you prefer not to use Mobot, contact our [support team](https://support.sumologic.com/support/s/). Your account will be updated accordingly. -
### Security and privacy -
-Do Dojo AI agents access customer data? +**Do Dojo AI agents access customer data?** Mobot (including Query Agent and Knowledge Agent) does not process or analyze customer log data. Schema and field samples are used to provide context to the AI, but your log content is not read or stored by the model. -
-
-What specific types of customer data or PII does the AI process? Does it filter out PII/sensitive information? +**What specific types of customer data or PII does the AI process? Does it filter out PII/sensitive information?** Mobot processes schema and field samples to provide context to the AI. While field values can contain PII or confidential data (for example, email addresses or IP addresses), these values are used solely to enable insights and are protected under strict compliance and security reviews. -
-
-Is customer data/PII used to train AI models? +**Is customer data/PII used to train AI models?** No, customer data or PII is not used for training AI models. Mobot operates using a foundation model served via Amazon Bedrock, ensuring your data remains private and secure. -
-
-How long does the AI store customer information or PII, and when and how is it deleted? +**How long does the AI store customer information or PII, and when and how is it deleted?** Certain features may rely on query history stored on a rolling basis for performance optimization. Data is systematically expired to maintain privacy. For example, our alerts feature log anomaly detection and build ML models from 60 days of logs. To accomplish this, we retrain the model once a week. In this example, each week, we add one week of new data while expiring the oldest week of data. Rolling data windows are done to avoid fetching 60 days of data for every training run. -
-
-Is any user or org data sent outside our environment? +**Is any user or org data sent outside our environment?** No. All processing happens within your region's cluster. RAG context is scoped to dashboards in your own org—no cross-org data leakage. -
-
-Does a fourth party have access to Mobot customer data? +**Does a fourth party have access to Mobot customer data?** No. Mobot uses foundation models securely hosted through Amazon Bedrock. When customer data is processed: @@ -538,72 +517,54 @@ No. Mobot uses foundation models securely hosted through Amazon Bedrock. When cu * Customer inputs and outputs are not shared with model providers and are not used to train external models. Customer data processed through Mobot remains within Sumo Logic's secure environment and is used only to deliver results for that customer. -
### Technical -
-Does Mobot use any open-source library, GenAI providers, or cloud providers? +**Does Mobot use any open-source library, GenAI providers, or cloud providers?** For Generative AI, Mobot uses a foundation model served by Amazon Bedrock. Classical ML features leverage open-source Python libraries approved by Sumo Logic. -
-
-What is the type of AI being used? +**What is the type of AI being used?** Mobot is an ensemble of Generative AI (GenAI) and classical machine learning (ML) techniques. For example, classical ML is used for anomaly detection in alerts. -
-
-Is there a human in the loop for Mobot? +**Is there a human in the loop for Mobot?** Yes, the on-call developer or security engineer troubleshooting an incident is the expected user. They interact with Mobot using natural language questions or through contextual suggestions. -
-
-Does Sumo Logic hold any AI-specific certifications or accreditations? +**Does Sumo Logic hold any AI-specific certifications or accreditations?** Sumo Logic is currently reviewing AI compliance within a rapidly evolving regulatory landscape, including ISO 42001, which is designed to help organizations implement AI responsibly. All Sumo Logic AI capabilities operate within our existing industry-recognized security and compliance framework, including FedRAMP Moderate, SOC 2 Type 2, HIPAA, PCI DSS 4.0.1, and ISO 27001:2022. These attestations govern the confidentiality, integrity, and protection of customer data across our platform, including AI features. Availability of specific AI capabilities may vary by deployment region based on compliance boundary requirements. -
-
-How are reviews conducted on the Mobot model? +**How are reviews conducted on the Mobot model?** The generative AI model used by Mobot is licensed and securely hosted via Amazon Bedrock, meaning it is not directly accessible by Sumo Logic, customers, or third parties. Each major capability added to Mobot undergoes legal, compliance, and application security reviews. These reviews coincide with new releases that expand insights or process new types of data. -
-
-Which Mobot capabilities are available in FED deployments? +**Which Mobot capabilities are available in FED deployments?** The current GA versions of Mobot, including Query Agent and Knowledge Agent, are available in the FED deployment. -
### Query Agent -
-What's the impact on Query Agent latency? +**What's the impact on Query Agent latency?** Typical end-to-end response time remains under 2 seconds for most queries. Very large result sets or percentile calculations over broad ranges may take up to 5 seconds. During Beta, full query generation may take 6 to 7 seconds, but Mobot streams the first token (intent interpretation) within 2 seconds. -
-
-What are the current Query Agent limitations? +**What are the current Query Agent limitations?** * For dashboard-aware translations via RAG, Mobot's source expression must share at least one common key-value pair with your dashboard queries. For example, `_sourcecategory=abcd "error"` will match a dashboard query like `_sourcecategory=abcd | count`, but won't match `_source=abcd | count` because there's no shared key-value pair. * RAG only considers dashboards that have been opened in the last 90 days when interpreting your query. * Very large or highly complex queries may time out or trigger structured fallback responses. * The conversational experience is available for log-based searches only. Metrics and Metric Searches are not supported in this Beta. * Mobot cannot currently refer to the output of a log search directly in subsequent queries. Each follow-up must be expressed in terms of query refinements rather than referencing previous results. This is an important limitation to be aware of when constructing multi-turn conversations. -
-
-How do I debug a failed Query Agent translation? +**How do I debug a failed Query Agent translation?** If a translation fails, Mobot generates a contextual error message tailored to the situation. The message includes the generated query, explains why it failed, and suggests how to fix it (for example, `Try narrowing your time window` or `Simplify your filter expression`). @@ -611,38 +572,29 @@ Here are some common cases: * **No or delayed results**. Give Mobot a few seconds to process complex refinements. * **Output too broad**. Add more context (for example, specify a client or namespace). -* **Unexpected numbers**. If results look off, be more explicit. For example, ask `show in milliseconds` or `convert to seconds` to adjust units, or say `show P90` / `switch back to P50 over 1 minute` to refine percentiles. -
+* **Unexpected numbers**. If results look off, be more explicit. For example, ask `show in milliseconds` or `convert to seconds` to adjust units, or say `show P90` / `switch back to P50 over 1 minute` to refine percentiles. ### Knowledge Agent -
-Does Knowledge Agent use my data to train external models? +**Does Knowledge Agent use my data to train external models?** Mobot and Knowledge Agent run on Amazon Bedrock, an approved and secure subprocessor that complies with Sumo Logic's privacy, security, and data-handling standards. No customer data is ever used for model training. All processing happens within the secure boundaries of Sumo Logic's architecture, maintaining the same high level of data protection customers already trust. -
-
-Is my data safe when I use Knowledge Agent? +**Is my data safe when I use Knowledge Agent?** Yes. Knowledge Agent only processes what you provide during your session, and this data remains inside Sumo Logic's secure environment. Nothing is sent to external LLM providers for training or storage. -
-
-How does Knowledge Agent ensure accuracy? +**How does Knowledge Agent ensure accuracy?** Knowledge Agent pulls directly from Sumo Logic's official product documentation. Responses are always grounded in our published help content, making them accurate, citable, and aligned with the latest platform behavior. No information is generated from unreliable external sources. -
-
-Can Knowledge Agent answer questions outside Sumo Logic's documentation? +**Can Knowledge Agent answer questions outside Sumo Logic's documentation?** No. Knowledge Agent is intentionally scoped to use Sumo Logic's internal documentation and resources only. This ensures answers remain trustworthy and consistent with product behavior. -
## Feedback diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md index 919f9ebfd5..c4680e9c9a 100644 --- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md +++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md @@ -131,12 +131,11 @@ https://github.com/SumoLogic/sumologic-documentation/blob/main/static/files/c2c/ ``` ## Troubleshooting -
- This request is throttled. Please try again after the value specified in the Retry-After header. -
+**This request is throttled. Please try again after the value specified in the Retry-After header.** + +
This error occurs when the API request limit (throttling threshold) is exceeded and the source makes more API calls than the limit specified in the [Microsoft documentation](https://learn.microsoft.com/en-us/graph/throttling-limits#identity-and-access-reports-service-limits). In many cases, this happens when the same credentials are used concurrently by multiple vendors or integrations. Please verify that the credentials configured for the Sumo Logic source are not shared with other platforms making API calls.
-
## FAQ diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md index 2e8f70fe63..1106267314 100644 --- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md +++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md @@ -51,9 +51,9 @@ When you create an Universal Connector Source, you add it to a Hosted Collector. - Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped. 1. **Configuration Sections**. Expand each section to learn more about the options available for configuration. -
- Authentication Configuration -
+**Authentication Configuration** + +
Choose the type of authentication based on the vendor API requirements and configure the details of that specific authentication type. #### Basic @@ -93,11 +93,10 @@ Optionally, if the vendor API requires it, you can provide one or more `Scopes` Select this authentication option if the vendor API does not require any form of authentication.
-
-
- Request Configuration -
+**Request Configuration** + +
Configure how the HTTP requests are created for your source. :::danger protect your credentials @@ -151,10 +150,10 @@ Examples URL encoded: This is optional and only used if the HTTP `POST` method is configured above. You can use this field to include any information in the HTTP request body. The data included in this field can access our [dynamic values](#dynamic-values-variables).
-
-
- Tracking Progression -
+ +**Tracking Progression** + +
The source needs a way to keep track of its progress to prevent data loss and duplication. Select the type of progression used and configure the details. #### Time Window @@ -172,10 +171,10 @@ The start time is inclusive and the end time is exclusive as that is the behavio | Max Lookback | This will determine how far back the window is allowed and should be set based on the vendors data retention policy. If the source encounters a repetitive error causing the window to not move forward for a period of time, the window will not be allowed to stagnate past this configured time. The default is `31d` and we recommend leaving the default unless the vendor specifically states their data retention policy. You can configure this setting between the `window size` and `365d`. |
-
-
- HTTP Response Log Ingest Configuration -
+ +**HTTP Response Log Ingest Configuration** + +
Select the format of the data returned by the vendor and configure how the source should break down the response into individual logs with the correct timestamp. #### JSON with JPath @@ -274,10 +273,10 @@ The source follows the [JSON Path standard defined here](https://www.ietf.org/ar | Time Value Regex | `Date(.*)` |
-
-
- Pagination -
+ +**Pagination** + +
Select how the source should handle pagination. #### RFC 8288 Link Headers @@ -323,10 +322,10 @@ Here is an example of the pagination using values as parameters: Use this type of pagination if the vendor API does not implement any kind of pagination.
-
-
- HTTP Client Options -
+ +**HTTP Client Options** + +
You can adjust some options specific to the HTTP client used to make calls to the vendor API. Follow the vendor's recommendations any of these settings. :::note @@ -342,7 +341,7 @@ The client will automatically handle HTTP 429 response status codes that include | Rate Limit Burst | The number of requests the source is allowed to burst. The default is `1000`. Set this value to `1` to disable bursting. |
-
+ 10. (Optional) **Polling Interval**. Set how frequently to poll for new data. It must be between 5 minutes and 48 hours 1. When you are finished configuring the Source, click **Save**. @@ -570,40 +569,23 @@ We recommend using [this code snippet](https://goplay.tools/snippet/WTFe5ZLU9PO) ## Troubleshooting -
- - Errors related to partial log ingestion, log preparation, timestamp extraction, or response parsing - -
- Possible resolution -
    -
  • Ensure that the HTTP Response Log Ingest Configuration matches the API response structure.
    • -
  • Verify that all configured fields exist in the API response.
    • -
  • Confirm that the API response is returned in valid JSON format.
    • -
-
-
+**Errors related to partial log ingestion, log preparation, timestamp extraction, or response parsing** -
- Error getting partial logs, error preparing log, error getting timestamp data, timestamp path not in data, or error parsing response data -
- These errors are typically caused by an improper endpoint response format or incorrect log ingestion configuration. Ensure that your endpoint returns data in a valid JSON format and response fields are as per the configuration. -
-
+- Ensure that the HTTP Response Log Ingest Configuration matches the API response structure. +- Verify that all configured fields exist in the API response. +- Confirm that the API response is returned in valid JSON format. -
- oauth2: cannot parse json: invalid character -
- This error occurs due to an OAuth 2.0 authentication misconfiguration. Reconfigure the source using valid OAuth 2.0 credentials and ensure that it aligns with the steps in the [Authentication Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. -
-
+**Error getting partial logs, error preparing log, error getting timestamp data, timestamp path not in data, or error parsing response data** -
- Failed to validate the base request config or error preparing new request -
- These errors indicate that the endpoint configuration is not set up correctly. Verify that your endpoint configuration follows the instructions in the [Request Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. -
-
+These errors are typically caused by an improper endpoint response format or incorrect log ingestion configuration. Ensure that your endpoint returns data in a valid JSON format and response fields are as per the configuration. + +**oauth2: cannot parse json: invalid character** + +This error occurs due to an OAuth 2.0 authentication misconfiguration. Reconfigure the source using valid OAuth 2.0 credentials and ensure that it aligns with the steps in the [Authentication Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. + +**Failed to validate the base request config or error preparing new request** + +These errors indicate that the endpoint configuration is not set up correctly. Verify that your endpoint configuration follows the instructions in the [Request Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. ## FAQ @@ -611,18 +593,17 @@ We recommend using [this code snippet](https://goplay.tools/snippet/WTFe5ZLU9PO) Click [here](/docs/c2c/info) for more information about Cloud-to-Cloud sources. ::: -
- What if I want to query multiple HTTP endpoints? -
You will need to create a new source per endpoint for the data you wish to collect, even if the endpoint is within the same API.
-
-
- Can I transform the data collected? -
No, this source only collects the data. You can use the Sumo Logic platform features to parse/transform the data further after collection.
-
-
- What timestamp is used for the data? -
If you leave the time parsing configuration blank, it will cause the source to use current time for the collected logs. Be sure to configure the HTTP response log ingestion configuration section to ensure time parsing is correctly handled. The source will enter an error health status if time parsing is configured and is unsuccessful.
-
+**What if I want to query multiple HTTP endpoints?** + +You will need to create a new source per endpoint for the data you wish to collect, even if the endpoint is within the same API. + +**Can I transform the data collected?** + +No, this source only collects the data. You can use the Sumo Logic platform features to parse/transform the data further after collection. + +**What timestamp is used for the data?** + +If you leave the time parsing configuration blank, it will cause the source to use current time for the collected logs. Be sure to configure the HTTP response log ingestion configuration section to ensure time parsing is correctly handled. The source will enter an error health status if time parsing is configured and is unsuccessful. :::note By default, this source supports up to *512 MB* of memory in a single API response. For higher limits or additional requirements, contact Sumo Logic Support.