SumoLogic · JV0812 · May 8, 2026 · May 11, 2026
@@ -98,8 +98,7 @@ All variables are case-insensitive.
 | `{{AlertResponseUrl}}` | When your Monitor is triggered, it will generate a URL and provide it as the value of this variable where you can use it to open Alert Response. | &#10003; | &#10003; |
 
 
-<details>
-<summary>Legacy variables</summary>
+**Legacy variables**
 
 This section provides the old variables available for alert notifications from Metrics Monitors and Scheduled Searches. The following table shows where the old variables are supported.
 
@@ -126,10 +125,6 @@ We recommend using the new common variables instead of these legacy variables, w
 | `The ID of the triggered alert.` | Current status of the time series that triggered (for example, Critical or Warning). | &#10003; |  |
 | `{{AlertCondition}}` | The condition that triggered the alert. |  |  |
 
-</details>
-
-
-
 ### Example payloads
 
 #### Slack payload

@@ -99,16 +99,15 @@ UI support for this step is not yet available. You'll need to use the Sumo Logic
 :::
 
 1. [Get a list of available OAuth `scopes`](https://api.sumologic.com/docs/#operation/listOAuthScopes) and decide which ones you'd like to assign to your OAuth client. The `scopes` you request here must already be included in your service account's `effectiveScopes` field.
-   <details>
-   <summary>How are scopes enforced?</summary>
+  :::note
+   How are scopes enforced?
 
    The permissions granted to an OAuth client are limited to the intersection of:
    * The roles (RBAC capabilities) assigned to the service account.
    * The scopes assigned to the OAuth client.
 
    This prevents privilege escalation. If the service account's roles are restricted in the future, the OAuth client's effective permissions are automatically reduced as well. If a requested scope is not included in the service account's roles, it will be silently excluded from the OAuth client's effective permissions.
-
-   </details>
+  :::
 1. [Create a new OAuth client](https://api.sumologic.com/docs/#operation/createOAuthClient) using the `scopes` you selected in the previous step. `"runAsId"` will be the `"id"` of the service account you created [in step 1](#step-1-create-a-service-account).
    ```bash title="Example request"
    curl -u "<access-id>:<access-key>" \
@@ -651,27 +650,19 @@ For detailed guidance on securing MCP against cost-based attacks, see our blog p
 
 ## FAQ
 
-<details>
-<summary>Can MCP handle multiple operations in a single request?</summary>
+**Can MCP handle multiple operations in a single request?**
 
 Yes. MCP supports multi-tool calls within a single conversational interaction.
 
-</details>
-
-<details>
-<summary>How does this affect my Sumo Logic usage?</summary>
+**How does this affect my Sumo Logic usage?**
 
 This capability in closed beta requires an AI Addendum. Contact your account representative for pricing information.
 
 :::note
 For bulk data retrieval or model training, the [Search Job API](/docs/api/search-job) remains the preferred option.
 :::
 
-</details>
-
-<details>
-<summary>Where does my agent run?</summary>
+**Where does my agent run?**
 
 Agents connected via MCP run in your own environment, not within Sumo Logic infrastructure.
 
-</details>
@@ -417,9 +417,42 @@ You'll see this used in our [C2C source docs](/docs/send-data/hosted-collectors/
 
 Use the Docusaurus [Details](https://docusaurus.io/docs/next/markdown-features#details) feature to collapse long, additional content and long code samples. When collapsed, the content can be searched, but not displayed, when loading a page. Place long lists or lots of content in this section. The reader can expand/collapse as needed. Important content like required steps and instructions should not be placed in an expander.
 
-You can include markdown content in expanders including code samples, embedded videos, bulleted lists, and more.
+### When to use and when NOT to use `<details>` tags
+
+| Use Case | ✅ DO Use | ❌ DO NOT Use | Why |
+|:---------|:----------|:--------------|:----|
+| **FAQ Sections** | | ❌ Never | **Against GEO principles**: Hidden content negatively impacts Generative Engine Optimization and search visibility. **AI citation fails**: AI tools and search engines cannot properly cite or reference content hidden inside accordion components. FAQ content must be immediately visible and scannable. |
+| **Troubleshooting Sections** | | ❌ Never | Users searching for solutions need immediate visibility of troubleshooting steps. Hidden content creates friction and poor user experience. |
+| **Critical Instructions** | | ❌ Never | Required steps, warnings, or important information must always be visible. Users should not need to click to reveal essential information. |
+| **Short Content** | | ❌ Avoid | If collapsed content is only 2-5 lines, keep it visible. The expand/collapse interaction adds unnecessary friction. |
+| **Primary Documentation Flow** | | ❌ Avoid | Main concepts and procedures should not be hidden behind accordions. Core content must be scannable. |
+| **Long Code Samples** | ✅ Yes | | Code samples over 100 lines of JSON, YAML, or configuration examples benefit from collapsing to reduce page scrolling. |
+| **Multiple Installation Methods** | ✅ Yes | | When documenting 3+ installation methods (UI installer, command-line, package managers), collapse each method so users can choose their preferred approach. |
+| **API Endpoint Documentation** | ✅ Yes | | Collapse detailed request parameters, response formats, and examples to keep API reference pages scannable. |
+| **Alternative Configuration Options** | ✅ Yes | | When showing different setup paths or service configurations (e.g., AWS regions, authentication methods), collapse alternatives to reduce clutter. |
+| **Sample Log Formats** | ✅ Yes | | Lengthy log examples (50+ lines) that users reference occasionally should be collapsed. |
+
+:::warning Important
+Using `<details>` tags for FAQ and troubleshooting content violates **Generative Engine Optimization (GEO)** best practices and prevents AI tools from properly citing your documentation. Always keep FAQ and troubleshooting content visible.
+:::
+
+#### How to use collapsible sections
+
+When using `<details>` tags for appropriate content (see table above), follow these guidelines:
+
+1. **Always include a descriptive title** in the `<summary>` tag. This title should clearly describe what content is collapsed.
+2. **Add the `title` attribute** to the `<details>` tag for better accessibility and SEO.
+3. You can include markdown content in expanders including code samples, embedded videos, bulleted lists, and more.
+4. Add all content after the `<summary>` tags and before the closing `</details>` tag.
+
+```markdown
+<details title="Installation using command-line">
+<summary>Install Using the Command-Line Installer</summary>
 
-Add a title for the expander between the `<summary>` tags. Then, add all content after `<summary>` tags and before the closing `<details>` tags.
+Your installation steps and code samples go here...
+
+</details>
+```
 
 <Tabs
   className="unique-tabs"
@@ -467,8 +500,6 @@ Add a title for the expander between the `<summary>` tags. Then, add all content
 </Tabs>
 
 
-
-
 ## Contractions
 
 Using contractions contributes to our goals of striking a conversational, friendly tone.

@@ -101,47 +101,33 @@ Click the provided link to view the dashboard:<br/><img src={useBaseUrl('img/cse
 
 ## FAQs
 
-<details>
-<summary>What is the Sumo Logic SOC Analyst Agent?</summary>
+**What is the Sumo Logic SOC Analyst Agent?**
 
 The SOC Analyst Agent is part of the [Sumo Logic Dojo AI](/docs/get-started/ai-machine-learning/#dojo-ai). The SOC Analyst Agent is an assistant that applies agentic AI reasoning to triage and investigation tasks. It correlates alerts, weighs patterns against frameworks like MITRE ATT&CK, and renders evidence-backed verdicts, providing analysts an immediate sense of threat impact. When deeper analysis is required, the same agent supports hypothesis-based investigation to map relationships, connect entities, and summarize findings.
-</details>
 
-<details>
-<summary>What are the benefits of the agent?</summary>
+**What are the benefits of the agent?**
 
 Security teams spend too much time validating false positives and performing repetitive investigative steps. By embedding reasoning and context-awareness directly into Cloud SIEM, the SOC Analyst Agent eliminates noise, standardizes outcomes, and accelerates time to resolution.
-</details>
 
-<details>
-<summary>Will the agent increase scanning or data-processing costs?</summary>
+**Will the agent increase scanning or data-processing costs?**
 
 No. The agent analyzes existing data already ingested into Cloud SIEM. It performs reasoning on metadata and contextual signals rather than initiating new scans.
 
-</details>
-
-<details>
-<summary>How does the agent differ from Cloud SIEM correlation or automation rules?</summary>
+**How does the agent differ from Cloud SIEM correlation or automation rules?**
 
 Unlike traditional correlation logic, which is static, the SOC Analyst Agent applies agentic reasoning. It adapts based on insight context, recent analyst actions, and environmental signals, producing contextual, explainable decisions rather than fixed pattern matches.
-</details>
 
-<details>
-<summary>What data does the agent rely on to render verdicts?</summary>
+**What data does the agent rely on to render verdicts?**
 
 The agent draws from normalized security data (`sec_record*` indexes and signals), correlated entities, Sumo Logic’s integrated threat intelligence feeds, and enrichment data (for example, IP geolocation, user behavior, and asset details).
-</details>
 
-<details>
-<summary>Can analysts provide feedback or correct AI verdicts?</summary>
+**Can analysts provide feedback or correct AI verdicts?**
 
 Yes. Analysts can override verdicts and flag feedback within the UI. These actions are logged and reviewed to refine model behavior over time as part of the Dojo AI learning loop.
-</details>
 
 ### FAQs for preview
 
-<details>
-<summary>How does investigation rate limiting work?</summary>
+**How does investigation rate limiting work?**
 
 To ensure stable performance, the agent performs system-wide rate limiting, which imposes usage controls across the entire SOC Analyst Agent user base to manage capacity. As a result, automatic investigation may skip some insights if investigating them would exceed rate limits. The skipped insights show **Not Investigated** in the **AI Verdicts** column. However, in these instances, you can manually start an investigation of the insight by clicking the **Investigate** button.
 
@@ -152,19 +138,14 @@ The rate limits for your organization are:
 Be aware, though, that if you have reached your limit of the total number of insights that you can get AI verdicts for in a certain time period, a message will appear telling you when you can next click the **Investigate** button to manually initiate an AI investigation.
 
 If you have questions about the AI investigation rate limiting for your organization, ask your Sumo Logic representative.
-</details>
 
-<details>
-<summary>Does the agent automatically investigate things that are not entities in Cloud SIEM?</summary>
+**Does the agent automatically investigate things that are not entities in Cloud SIEM?**
 
 Traditional Cloud SIEM entities are items like users, IP addresses, hosts, and the like. In addition to these, the agent automatically investigates things that are not usually identified as entities in Cloud SIEM, such as related cloud resources, API endpoints, or service accounts relevant to the insight. This intelligent entity prioritization results in faster investigation and reduces time spent manually determining which entities to investigate.
-</details>
 
-<details>
-<summary>Can I converse with the agent in the same way I am used to doing with other AI-enabled tools?</summary>
+**Can I converse with the agent in the same way I am used to doing with other AI-enabled tools?**
 
 Yes, you can. In your investigation, you are not limited in how you proceed. You can engage the agent in a conversational flow to direct the investigation any way you want. However, the agent has many tools that can help should you need guidance. For example, the agent presents follow-up questions after each step that offer you multiple paths for investigation.
-</details>
 
 ## Additional resources
 

@@ -22,8 +22,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 Sumo Logic’s AI capabilities span from classical machine learning to generative and agentic AI. At the center is Dojo AI, our multi-agent platform that brings specialized agents into security and observability workflows. This page covers all of these capabilities: what they do, how they work together, and how to get started.
 
-<details>
-<summary>What do these terms mean?</summary>
+**What do these terms mean?**
 
 **Artificial intelligence (AI)** encompasses machines that mimic human-like intelligence, leveraging algorithms to compute tasks efficiently. It includes machine learning, deep learning, generative AI, and agentic AI.
 
@@ -37,8 +36,6 @@ Sumo Logic’s AI capabilities span from classical machine learning to generativ
 
 **Pattern learning** is fundamental to machine learning and deep learning, where algorithms discern patterns in data to make predictions or classifications.
 
-</details>
-
 ## Dojo AI
 
 Dojo AI is Sumo Logic’s multi-agent AI platform, bringing specialized agents across security and observability workflows. Agents work together to detect threats, investigate incidents, explore data, and answer platform questions, with a human in the loop at every step. Dojo AI is built and deployed on AWS and is available through Sumo Logic and in AWS Marketplace. [Learn more](https://www.sumologic.com/solutions/dojo-ai).
@@ -127,16 +124,13 @@ The [Global Intelligence Service](/docs/integrations/global-intelligence) apps p
 
 ### General
 
-<details>
-<summary>Can I opt out of AI features?</summary>
+**Can I opt out of AI features?**
 
 Yes. You can opt out of specific AI features at any time by submitting a support ticket.
-</details>
 
 ### Security and privacy
 
-<details>
-<summary>Do Dojo AI agents access customer data?</summary>
+**Do Dojo AI agents access customer data?**
 
 Agent interaction with customer data varies by capability.
 
@@ -149,10 +143,8 @@ Any AI capability that processes customer data:
 - Requires execution of the applicable AI addendum to the client agreement
 
 Customers retain control over whether these data-processing capabilities are enabled in their environment.
-</details>
 
-<details>
-<summary>What types of customer data or PII does the AI process? Does it filter sensitive information?</summary>
+**What types of customer data or PII does the AI process? Does it filter sensitive information?**
 
 Sumo Logic AI capabilities follow strict legal, compliance, and security standards to ensure data minimization and fit-for-purpose processing.
 
@@ -161,10 +153,8 @@ Sumo Logic AI capabilities follow strict legal, compliance, and security standar
 - Sumo Logic applies strong safeguards and filtering to ensure sensitive data is handled securely and appropriately at all times.
 
 Capabilities that process customer data, including the SOC Analyst Agent (currently in Public Preview), are available only through explicit customer opt-in and require execution of the applicable AI addendum. These capabilities are never automatically provisioned.
-</details>
 
-<details>
-<summary>Is customer data or PII used to train AI models?</summary>
+**Is customer data or PII used to train AI models?**
 
 No. Customer data is never used to train AI models.
 
@@ -173,10 +163,8 @@ All Sumo Logic AI capabilities are designed to serve customer-specific outcomes
 Traditional ML features, such as AI-driven alerts, generate models specific to each customer's environment and are never shared or made public.
 
 For more information, see [Security and Compliance](/docs/manage/security).
-</details>
 
-<details>
-<summary>Does any third party have access to Dojo AI customer data?</summary>
+**Does any third party have access to Dojo AI customer data?**
 
 Dojo AI leverages foundation models securely hosted through Amazon Bedrock. When customer data is processed using Amazon Bedrock:
 
@@ -187,56 +175,45 @@ Dojo AI leverages foundation models securely hosted through Amazon Bedrock. When
 - Customer inputs and outputs are not shared with model providers and are not used to train external models.
 
 Customer data processed through Dojo AI remains within Sumo Logic's secure environment and is used only to deliver results for that customer. It is not used to train foundation models or shared with model providers.
-</details>
 
-<details>
-<summary>How long does Dojo AI store customer data, and how is it deleted?</summary>
+**How long does Dojo AI store customer data, and how is it deleted?**
 
 Dojo AI and classical ML features store data only temporarily to optimize performance:
 
 - AI-driven alerts use a rolling 60-day data window, retraining weekly and expiring the oldest data automatically.
 - Mobot may temporarily retain query history in a rolling window to improve conversational context and response accuracy.
 
 All stored data follows Sumo Logic's data retention and deletion policies, ensuring customer information is never retained longer than necessary.
-</details>
 
 ### Technical
 
-<details>
-<summary>Does Sumo Logic AI use open-source libraries, generative AI providers, or cloud services?</summary>
+**Does Sumo Logic AI use open-source libraries, generative AI providers, or cloud services?**
 
 Yes. Dojo AI leverages foundation models securely hosted through Amazon Bedrock.
-</details>
 
-<details>
-<summary>Does Sumo Logic hold any AI-specific certifications or accreditations?</summary>
+**Does Sumo Logic hold any AI-specific certifications or accreditations?**
 
 Sumo Logic is currently reviewing AI compliance within a rapidly evolving framework, in particular ISO 42001, designed to help organizations implement AI responsibly.
 
 Sumo Logic AI capabilities operate within our existing industry-recognized security and compliance framework, including FedRAMP Moderate, SOC 2 Type 2, HIPAA, PCI DSS 4.0.1, and ISO 27001:2022. These attestations govern the confidentiality, integrity, and protection of customer data.
 
 Availability of specific AI capabilities may vary by deployment region (including FED) based on compliance boundary requirements.
-</details>
 
-<details>
-<summary>Which Dojo AI capabilities are available in FED?</summary>
+**Which Dojo AI capabilities are available in FED?**
 
 The current GA versions of Mobot (including Query Agent and Knowledge Agent) and Summary Agent are available in the FED deployment.
 
 The SOC Analyst Agent and certain newer Dojo AI capabilities are not currently available in FED. These capabilities depend on underlying model configurations that do not yet meet the requirements of our FED compliance boundary.
 
 Sumo Logic is actively evaluating future availability of these capabilities in FED as underlying model support and compliance requirements evolve.
-</details>
 
-<details>
-<summary>What types of model reviews are conducted?</summary>
+**What types of model reviews are conducted?**
 
 The generative AI model is licensed and securely hosted via Amazon Bedrock, meaning it is not directly accessible by Sumo Logic, customers, or third parties.
 
 All new AI capabilities and features undergo comprehensive legal, compliance, and application security reviews before release to ensure data protection, privacy, and regulatory alignment.
 
 Recurring reviews are also conducted with every major update, particularly when a capability introduces new analytics or processes previously unused data types, to maintain ongoing trust and compliance.
-</details>
 
 ## Additional resources