diff --git a/docs/search/copilot.md b/docs/search/copilot.md
index 9cf24ed3c4..35be9d9629 100644
--- a/docs/search/copilot.md
+++ b/docs/search/copilot.md
@@ -59,7 +59,6 @@ Sumo Logic Copilot leverages foundational models provided by Amazon Bedrock, inh
Additionally, all aspects of our service, including Copilot, adhere to the security and compliance requirements outlined in our [service agreement](https://www.sumologic.com/service-agreement) or in individually negotiated contracts.
-
* **Customer data privacy**. Copilot ensures customer data remains private and secure. No customer data or PII is used to train the AI models. Context for AI processing is limited to schema and field samples, reviewed for legal and compliance purposes.
* **Rolling data expiration**. Some features may store query history temporarily for performance, but data is expired on a rolling basis.
* **AI provider**. Copilot uses a foundation model served by Amazon Bedrock. The provider has no access to your data.
@@ -82,29 +81,31 @@ In this section, you'll learn the recommended workflow for using Copilot effecti
To start using Copilot:
-From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), navigate to the **Copilot** tab.
})
+From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), click the **Copilot** tab.
})
+
+From the [**New UI**](/docs/get-started/sumo-logic-ui), click **Copilot** in the left nav.
})
-From the [**New UI**](/docs/get-started/sumo-logic-ui), click **Copilot** in the left nav.
})
+### Step 2: Review and adjust the auto-selected source
-### Step 2: Review the auto-selected source
+Copilot automatically selects a source category based on its assessment of user intent. Review the selection and adjust it if needed. You can also manually enter a source expression to define the scope of your exploration.
-Review the auto-selected **Source Category** and adjust it if needed. The source category is selected based on Copilot’s assessment of user intent. You can also type a source expression in the box. In either approach, you are defining the scope of your exploration.
+For example, to explore AWS WAF logs, select the appropriate source. For indexes, use `_index=`. Autocompletion is supported—start typing a few words to see source suggestions and choose one.
-In this example, we'll select a source for AWS WAF. For indexes, type `_index=`. Autocompletion is supported for sources; type a few words, view source suggestions and pick one.
+})
-
+### Step 3: Execute a query
-### Step 3: Execute a Suggestion
+#### Click a suggestion
Click on any of the prebuilt **Suggestions** prompts to launch your investigation. These AI-curated natural language insights are tailored to the specific source you've chosen.
In this example, we'll click `Count the number of log entries by the collector ID`. This translates the insight to a log query and renders results.
-})
+
-### Step 4: Ask a question
+#### Ask a question
-In the **Ask Something...** field, you can manually enter a natural language prompt similar to the prebuilt ones under **Suggestions**. In addition, use autocompletions if appropriate. Type a word in the search bar to trigger completions based on the keyword.
+In the **Ask Something...** field, you can manually enter a natural language prompt, similar to the prebuilt options under **Suggestions**. You can also use autocompletion—start typing a keyword to see relevant suggestions.
})
@@ -123,7 +124,7 @@ In the **Ask Something...** field, you can manually enter a natural language pro
Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation".
-Break your questions into smaller, specific requirements to help Copilot provide more accurate answers.
})
+Break your questions into smaller, specific requirements to help Copilot provide more accurate answers.
})
#### Tips and tricks
@@ -179,7 +180,7 @@ By default, Copilot searches run with a 15-minute time range. If your search ret
Copilot will automatically attempt to visualize your data. For example, a query like `Top ip by geo` will trigger a geo lookup and display the results on a map:
-})
+})
The following rules are used to deduce chart type:
* If both latitude and longitude fields exist, it returns a MAP chart type.
@@ -219,30 +220,32 @@ _sourceCategory=* "{" "}"
| sum(_count) by _sourceCategory
```
-If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding `{` to the source expression to trigger **Suggestions**.
})
+If your log query contains a mix of JSON and non-JSON formatting (i.e., a log file is partially JSON), you can isolate the JSON portion by adding a left curly brace (`{`) to the source expression to trigger **Suggestions**.
#### History
-Conversation History saves all previous queries and suggestions, allowing you to backtrack and refine your investigation. For example, if a status code analysis yields inconclusive results, revisit earlier queries to explore other hypotheses.
+The conversation history feature saves all previous queries and suggestions, allowing you to backtrack and refine your investigation. For example, if a status code analysis yields inconclusive results, you can revisit earlier queries to explore other possibilities.
-This functionality comes in handy when you're working on multiple incidents at the same time. To view Copilot interactions related to an incident, click **History**.
-
})
+This functionality can be useful when you're working on multiple incidents at the same time. To view Copilot interactions related to an incident, click **History**.
-You can resume a conversation in two ways:
+There are two ways to resume a conversation:
-* Click the **Resume conversation** icon to pick up from the last query in a conversation.
})
-* Click on the row in the conversation history, and then click the gray area on the right side to resume from a specific query in a conversation.
})
+* Click the "Resume Conversation" icon to pick up from the last query in a conversation.
+* Click on any row in a conversation history, then click the "Open in Copilot" icon to resume from a specific query in a conversation.
#### New Conversation
To start a fresh exploration, click **New Conversation**. This clears your current session and allows you to begin with a clean slate.
})
-### Step 5: Open in Log Search
+### Step 4: Open in Log Search
+
+You can open your query in [Log Search](/docs/search) to access Sumo Logic’s full search functionality. This allows you to continue investigating, refine your query, save the search, or take action as needed.
-Click the **Open in Log Search** icon, which will copy your query from Copilot over to a new log search, allowing you to utilize all of Sumo Logic's search functionality. You can continue investigating, save the search, and remediate.
+There are two ways to do this:
-})
+* From your conversation, click the "Open in Log Search" icon.
})
+* From your conversation history, hover over any row, then click the "Open in Log Search" icon.
})
## Example queries
@@ -278,17 +281,17 @@ You are a SecOps engineer who uses [Cloud SIEM](/docs/cse/). You are worried abo
```
Count logs by action. Sort the results.
```
- })
+ })
1. As soon as you do that, you can look at the **Suggestions** section on the right. These suggestions are curated based on their relevance to this Cloud SIEM source. You pick a suggestion to compare results to the last hour:
```
Count logs by action. Sort the results. versus the previous 1h
```
- Notice the system translated the suggestion to a log query and rendered results as a bar graph with no user input.
})
+ Notice the system translated the suggestion to a log query and rendered results as a bar graph with no user input.
})
1. Switching to table view, you notice "Malicious” in the search results. So, you add in `Filter results by action contains Malicious` to the query:
```
Count logs by action. Sort the results. Filter results by action contains Malicious.
```
- })
+ })
:::note
If `Malicious` doesn't work, try `Malicious*`. Sumo Logic is case sensitive.
:::
@@ -296,7 +299,7 @@ You are a SecOps engineer who uses [Cloud SIEM](/docs/cse/). You are worried abo
```
Count logs by action, url, user. Sort the results. Filter results by action contains Malicious.
```
- })
+ })
1. Even though the activity was blocked, you can investigate the affected users in the endpoint records next.
To summarize, you conclude there is malicious activity originating from certain users who need to be investigated further.
diff --git a/static/img/search/copilot/chart-types.png b/static/img/search/copilot/chart-types.png
index 253065f884..313fa892fc 100644
Binary files a/static/img/search/copilot/chart-types.png and b/static/img/search/copilot/chart-types.png differ
diff --git a/static/img/search/copilot/classic-ui-tab.png b/static/img/search/copilot/classic-ui-tab.png
new file mode 100644
index 0000000000..fff49b0b68
Binary files /dev/null and b/static/img/search/copilot/classic-ui-tab.png differ
diff --git a/static/img/search/copilot/cloud-siem-1.png b/static/img/search/copilot/cloud-siem-1.png
new file mode 100644
index 0000000000..f815e2a82e
Binary files /dev/null and b/static/img/search/copilot/cloud-siem-1.png differ
diff --git a/static/img/search/copilot/copilot-cloud-siem-2.png b/static/img/search/copilot/cloud-siem-2.png
similarity index 100%
rename from static/img/search/copilot/copilot-cloud-siem-2.png
rename to static/img/search/copilot/cloud-siem-2.png
diff --git a/static/img/search/copilot/copilot-cloud-siem-3.png b/static/img/search/copilot/cloud-siem-3.png
similarity index 100%
rename from static/img/search/copilot/copilot-cloud-siem-3.png
rename to static/img/search/copilot/cloud-siem-3.png
diff --git a/static/img/search/copilot/copilot-cloud-siem-4.png b/static/img/search/copilot/cloud-siem-4.png
similarity index 100%
rename from static/img/search/copilot/copilot-cloud-siem-4.png
rename to static/img/search/copilot/cloud-siem-4.png
diff --git a/static/img/search/copilot/copilot-cloud-siem-1.png b/static/img/search/copilot/copilot-cloud-siem-1.png
deleted file mode 100644
index 1bad6d9043..0000000000
Binary files a/static/img/search/copilot/copilot-cloud-siem-1.png and /dev/null differ
diff --git a/static/img/search/copilot/copilot-geo-chart.png b/static/img/search/copilot/copilot-geo-chart.png
deleted file mode 100644
index 20bb9e0b0d..0000000000
Binary files a/static/img/search/copilot/copilot-geo-chart.png and /dev/null differ
diff --git a/static/img/search/copilot/copilot-tab.png b/static/img/search/copilot/copilot-tab.png
deleted file mode 100644
index 9572e849ea..0000000000
Binary files a/static/img/search/copilot/copilot-tab.png and /dev/null differ
diff --git a/static/img/search/copilot/geo-chart.png b/static/img/search/copilot/geo-chart.png
new file mode 100644
index 0000000000..294912c249
Binary files /dev/null and b/static/img/search/copilot/geo-chart.png differ
diff --git a/static/img/search/copilot/copilot-tab-new.png b/static/img/search/copilot/left-nav.png
similarity index 100%
rename from static/img/search/copilot/copilot-tab-new.png
rename to static/img/search/copilot/left-nav.png
diff --git a/static/img/search/copilot/open-in-log-search.png b/static/img/search/copilot/open-in-log-search1.png
similarity index 100%
rename from static/img/search/copilot/open-in-log-search.png
rename to static/img/search/copilot/open-in-log-search1.png
diff --git a/static/img/search/copilot/open-in-log-search2.png b/static/img/search/copilot/open-in-log-search2.png
new file mode 100644
index 0000000000..84402df948
Binary files /dev/null and b/static/img/search/copilot/open-in-log-search2.png differ
diff --git a/static/img/search/copilot/copilot-periods.gif b/static/img/search/copilot/periods-query-syntax.gif
similarity index 100%
rename from static/img/search/copilot/copilot-periods.gif
rename to static/img/search/copilot/periods-query-syntax.gif
diff --git a/static/img/search/copilot/resume-convo-history2.png b/static/img/search/copilot/resume-convo-history2.png
index 456e85d6eb..deae07c31b 100644
Binary files a/static/img/search/copilot/resume-convo-history2.png and b/static/img/search/copilot/resume-convo-history2.png differ
diff --git a/static/img/search/copilot/source-category.png b/static/img/search/copilot/source-category.png
index c3191a6441..e973919fb1 100644
Binary files a/static/img/search/copilot/source-category.png and b/static/img/search/copilot/source-category.png differ