diff --git a/docs/alerts/webhook-connections/set-up-webhook-connections.md b/docs/alerts/webhook-connections/set-up-webhook-connections.md index 82c536eb55..134746b4d9 100644 --- a/docs/alerts/webhook-connections/set-up-webhook-connections.md +++ b/docs/alerts/webhook-connections/set-up-webhook-connections.md @@ -128,8 +128,6 @@ We recommend using the new common variables instead of these legacy variables, w - - ### Example payloads #### Slack payload diff --git a/docs/contributing/style-guide.md b/docs/contributing/style-guide.md index b49020ae4c..78fc7dbf6b 100644 --- a/docs/contributing/style-guide.md +++ b/docs/contributing/style-guide.md @@ -417,9 +417,46 @@ You'll see this used in our [C2C source docs](/docs/send-data/hosted-collectors/ Use the Docusaurus [Details](https://docusaurus.io/docs/next/markdown-features#details) feature to collapse long, additional content and long code samples. When collapsed, the content can be searched, but not displayed, when loading a page. Place long lists or lots of content in this section. The reader can expand/collapse as needed. Important content like required steps and instructions should not be placed in an expander. -You can include markdown content in expanders including code samples, embedded videos, bulleted lists, and more. +### When to use and when NOT to use `
` tags + +| Use Case | ✅ DO Use | ❌ DO NOT Use | Why | +|:---------|:----------|:--------------|:----| +| **FAQ Sections** | | ❌ Never | **Against GEO principles**: Hidden content negatively impacts Generative Engine Optimization and search visibility. **AI citation fails**: AI tools and search engines cannot properly cite or reference content hidden inside accordion components. FAQ content must be immediately visible and scannable. | +| **Troubleshooting Sections** | | ❌ Never | Users searching for solutions need immediate visibility of troubleshooting steps. Hidden content creates friction and poor user experience. | +| **Critical Instructions** | | ❌ Never | Required steps, warnings, or important information must always be visible. Users should not need to click to reveal essential information. | +| **Short Content** | | ❌ Avoid | If collapsed content is only 2-5 lines, keep it visible. The expand/collapse interaction adds unnecessary friction. | +| **Primary Documentation Flow** | | ❌ Avoid | Main concepts and procedures should not be hidden behind accordions. Core content must be scannable. | +| **Long Code Samples** | ✅ Yes | | Code samples over 100 lines of JSON, YAML, or configuration examples benefit from collapsing to reduce page scrolling. | +| **Multiple Installation Methods** | ✅ Yes | | When documenting 3+ installation methods (UI installer, command-line, package managers), collapse each method so users can choose their preferred approach. | +| **API Endpoint Documentation** | ✅ Yes | | Collapse detailed request parameters, response formats, and examples to keep API reference pages scannable. | +| **Alternative Configuration Options** | ✅ Yes | | When showing different setup paths or service configurations (e.g., AWS regions, authentication methods), collapse alternatives to reduce clutter. | +| **Sample Log Formats** | ✅ Yes | | Lengthy log examples (50+ lines) that users reference occasionally should be collapsed. | + +:::warning Important +Using `
` tags for FAQ and troubleshooting content violates **Generative Engine Optimization (GEO)** best practices and prevents AI tools from properly citing your documentation. Always keep FAQ and troubleshooting content visible. +::: + +### Format FAQ questions as headings + +Write each FAQ question as a heading, not as bold text. Headings create discrete, retrievable units that answer engines and AI tools can chunk and cite individually, while bold is purely visual and carries no semantic weight. Use an `H3` for questions directly under an `H2` FAQ section (for example, `## FAQs` → `### How do I reset my password?`), and an `H4` for questions grouped under an `H3` sub-category (for example, `### Security and privacy` → `#### Is my data encrypted?`). + +#### How to use collapsible sections -Add a title for the expander between the `` tags. Then, add all content after `` tags and before the closing `
` tags. +When using `
` tags for appropriate content (see table above), follow these guidelines: + +1. **Always include a descriptive title** in the `` tag. This title should clearly describe what content is collapsed. +2. **Add the `title` attribute** to the `
` tag for better accessibility and SEO. +3. You can include markdown content in expanders including code samples, embedded videos, bulleted lists, and more. +4. Add all content after the `` tags and before the closing `
` tag. + +```markdown +
+Install Using the Command-Line Installer + +Your installation steps and code samples go here... + +
+``` ` tags. Then, add all content - - ## Contractions Using contractions contributes to our goals of striking a conversational, friendly tone. diff --git a/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md b/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md index 0f55da69d5..2b63192f7f 100644 --- a/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md +++ b/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md @@ -125,48 +125,27 @@ You can also ask Mobot to close the current insight. In the **Ask Something...** ## FAQs -
-What is the Sumo Logic SOC Analyst Agent? - +### What is the Sumo Logic SOC Analyst Agent? The SOC Analyst Agent is part of the [Sumo Logic Dojo AI](/docs/get-started/ai-machine-learning/#dojo-ai). The SOC Analyst Agent is an assistant that applies agentic AI reasoning to triage and investigation tasks. It correlates alerts, weighs patterns against frameworks like MITRE ATT&CK, and renders evidence-backed verdicts, providing analysts an immediate sense of threat impact. When deeper analysis is required, the same agent supports hypothesis-based investigation to map relationships, connect entities, and summarize findings. -
- -
-What are the benefits of the agent? +### What are the benefits of the agent? Security teams spend too much time validating false positives and performing repetitive investigative steps. By embedding reasoning and context-awareness directly into Cloud SIEM, the SOC Analyst Agent eliminates noise, standardizes outcomes, and accelerates time to resolution. -
- -
-Will the agent increase scanning or data-processing costs? +### Will the agent increase scanning or data-processing costs? No. The agent analyzes existing data already ingested into Cloud SIEM. It performs reasoning on metadata and contextual signals rather than initiating new scans. -
- -
-How does the agent differ from Cloud SIEM correlation or automation rules? - +### How does the agent differ from Cloud SIEM correlation or automation rules? Unlike traditional correlation logic, which is static, the SOC Analyst Agent applies agentic reasoning. It adapts based on insight context, recent analyst actions, and environmental signals, producing contextual, explainable decisions rather than fixed pattern matches. -
- -
-What data does the agent rely on to render verdicts? +### What data does the agent rely on to render verdicts? The agent draws from normalized security data (`sec_record*` indexes and signals), correlated entities, Sumo Logic’s integrated threat intelligence feeds, and enrichment data (for example, IP geolocation, user behavior, and asset details). -
- -
-Can analysts provide feedback or correct AI verdicts? +### Can analysts provide feedback or correct AI verdicts? Yes. Analysts can override verdicts and flag feedback within the UI. These actions are logged and reviewed to refine model behavior over time as part of the Dojo AI learning loop. -
### FAQs for preview -
-How does investigation rate limiting work? - +#### How does investigation rate limiting work? To ensure stable performance, the agent performs system-wide rate limiting, which imposes usage controls across the entire SOC Analyst Agent user base to manage capacity. As a result, automatic investigation may skip some insights if investigating them would exceed rate limits. The skipped insights show **Not Investigated** in the **AI Verdicts** column. However, in these instances, you can manually start an investigation of the insight by clicking the **Investigate** button. The rate limits for your organization are: @@ -176,19 +155,12 @@ The rate limits for your organization are: Be aware, though, that if you have reached your limit of the total number of insights that you can get AI verdicts for in a certain time period, a message will appear telling you when you can next click the **Investigate** button to manually initiate an AI investigation. If you have questions about the AI investigation rate limiting for your organization, ask your Sumo Logic representative. -
- -
-Does the agent automatically investigate things that are not entities in Cloud SIEM? +#### Does the agent automatically investigate things that are not entities in Cloud SIEM? Traditional Cloud SIEM entities are items like users, IP addresses, hosts, and the like. In addition to these, the agent automatically investigates things that are not usually identified as entities in Cloud SIEM, such as related cloud resources, API endpoints, or service accounts relevant to the insight. This intelligent entity prioritization results in faster investigation and reduces time spent manually determining which entities to investigate. -
- -
-Can I converse with the agent in the same way I am used to doing with other AI-enabled tools? +#### Can I converse with the agent in the same way I am used to doing with other AI-enabled tools? Yes, you can. In your investigation, you are not limited in how you proceed. You can engage the agent in a conversational flow to direct the investigation any way you want. However, the agent has many tools that can help should you need guidance. For example, the agent presents follow-up questions after each step that offer you multiple paths for investigation. -
## Additional resources diff --git a/docs/get-started/ai-machine-learning.md b/docs/get-started/ai-machine-learning.md index fa6a57d0b2..e727866c5b 100644 --- a/docs/get-started/ai-machine-learning.md +++ b/docs/get-started/ai-machine-learning.md @@ -131,17 +131,12 @@ The [Global Intelligence Service](/docs/integrations/global-intelligence) apps p ### General -
-Can I opt out of AI features? - +#### Can I opt out of AI features? Yes. You can opt out of specific AI features at any time by submitting a support ticket. -
### Security and privacy -
-Do Dojo AI agents access customer data? - +#### Do Dojo AI agents access customer data? Agent interaction with customer data varies by capability. Mobot (including Query Agent and Knowledge Agent) and Summary Agent do **not** process or analyze customer data. @@ -153,11 +148,8 @@ Any AI capability that processes customer data: - Requires execution of the applicable AI addendum to the client agreement Customers retain control over whether these data-processing capabilities are enabled in their environment. -
- -
-What types of customer data or PII does the AI process? Does it filter sensitive information? +#### What types of customer data or PII does the AI process? Does it filter sensitive information? Sumo Logic AI capabilities follow strict legal, compliance, and security standards to ensure data minimization and fit-for-purpose processing. - Customer data is never used to train AI models, shared externally, or used to improve global models. @@ -165,11 +157,8 @@ Sumo Logic AI capabilities follow strict legal, compliance, and security standar - Sumo Logic applies strong safeguards and filtering to ensure sensitive data is handled securely and appropriately at all times. Capabilities that process customer data, including the SOC Analyst Agent (currently in Public Preview), are available only through explicit customer opt-in and require execution of the applicable AI addendum. These capabilities are never automatically provisioned. -
- -
-Is customer data or PII used to train AI models? +#### Is customer data or PII used to train AI models? No. Customer data is never used to train AI models. All Sumo Logic AI capabilities are designed to serve customer-specific outcomes within their own environment. Mobot uses a large language model (LLM) via Amazon Bedrock, which processes data securely and does not retain or use customer information for training or other external purposes. @@ -177,11 +166,8 @@ All Sumo Logic AI capabilities are designed to serve customer-specific outcomes Traditional ML features, such as AI-driven alerts, generate models specific to each customer's environment and are never shared or made public. For more information, see [Security and Compliance](/docs/manage/security). -
- -
-Does any third party have access to Dojo AI customer data? +#### Does any third party have access to Dojo AI customer data? Dojo AI leverages foundation models securely hosted through Amazon Bedrock. When customer data is processed using Amazon Bedrock: - Customer inputs and outputs are treated as Customer Content under AWS terms. @@ -191,56 +177,40 @@ Dojo AI leverages foundation models securely hosted through Amazon Bedrock. When - Customer inputs and outputs are not shared with model providers and are not used to train external models. Customer data processed through Dojo AI remains within Sumo Logic's secure environment and is used only to deliver results for that customer. It is not used to train foundation models or shared with model providers. -
- -
-How long does Dojo AI store customer data, and how is it deleted? +#### How long does Dojo AI store customer data, and how is it deleted? Dojo AI and classical ML features store data only temporarily to optimize performance: - AI-driven alerts use a rolling 60-day data window, retraining weekly and expiring the oldest data automatically. - Mobot may temporarily retain query history in a rolling window to improve conversational context and response accuracy. All stored data follows Sumo Logic's data retention and deletion policies, ensuring customer information is never retained longer than necessary. -
### Technical -
-Does Sumo Logic AI use open-source libraries, generative AI providers, or cloud services? - +#### Does Sumo Logic AI use open-source libraries, generative AI providers, or cloud services? Yes. Dojo AI leverages foundation models securely hosted through Amazon Bedrock. -
- -
-Does Sumo Logic hold any AI-specific certifications or accreditations? +#### Does Sumo Logic hold any AI-specific certifications or accreditations? Sumo Logic is currently reviewing AI compliance within a rapidly evolving framework, in particular ISO 42001, designed to help organizations implement AI responsibly. Sumo Logic AI capabilities operate within our existing industry-recognized security and compliance framework, including FedRAMP Moderate, SOC 2 Type 2, HIPAA, PCI DSS 4.0.1, and ISO 27001:2022. These attestations govern the confidentiality, integrity, and protection of customer data. Availability of specific AI capabilities may vary by deployment region (including FED) based on compliance boundary requirements. -
- -
-Which Dojo AI capabilities are available in FED? +#### Which Dojo AI capabilities are available in FED? The current GA versions of Mobot (including Query Agent and Knowledge Agent) and Summary Agent are available in the FED deployment. The SOC Analyst Agent and certain newer Dojo AI capabilities are not currently available in FED. These capabilities depend on underlying model configurations that do not yet meet the requirements of our FED compliance boundary. Sumo Logic is actively evaluating future availability of these capabilities in FED as underlying model support and compliance requirements evolve. -
- -
-What types of model reviews are conducted? +#### What types of model reviews are conducted? The generative AI model is licensed and securely hosted via Amazon Bedrock, meaning it is not directly accessible by Sumo Logic, customers, or third parties. All new AI capabilities and features undergo comprehensive legal, compliance, and application security reviews before release to ensure data protection, privacy, and regulatory alignment. Recurring reviews are also conducted with every major update, particularly when a capability introduces new analytics or processes previously unused data types, to maintain ongoing trust and compliance. -
## Additional resources diff --git a/docs/get-started/sumo-logic-ui.md b/docs/get-started/sumo-logic-ui.md index 1053514671..9a28ff8275 100644 --- a/docs/get-started/sumo-logic-ui.md +++ b/docs/get-started/sumo-logic-ui.md @@ -207,34 +207,23 @@ You'll need Sumo Logic Administrator role privileges to perform most of these t This FAQ provides answers to common questions about the Sumo Logic UI redesign, which involves transitioning from the legacy Classic UI to the New UI. -
-Q: What is being launched? - +### What is being launched? We are excited to introduce the Sumo Logic Unified Experience, internally known as Project Kanso, inspired by the Japanese principle of simplicity and clutter elimination. This initiative integrates the capabilities of our Log Analytics, Cloud SIEM, and Cloud SOAR into a unified navigation system. Alongside this integration, we have implemented several user interface enhancements to make all Sumo Logic features more accessible and user-friendly. -
- -
-Q: What issues does the New UI resolve? +### What issues does the New UI resolve? The disparate user interface and varying navigation patterns among Log Analytics, Cloud SIEM, and Cloud SOAR have made it challenging for users to effectively utilize these tools together for monitoring and troubleshooting. The current information architecture and navigation system have not effectively showcased useful functionalities to users. It's structured around tools like Traces, Log Search, and Metric Search rather than focusing on user-centric use cases. This places a burden on users to discover these functionalities. In-app tabs present performance and usability challenges since they all operate within a single browser tab. These tabs disrupt native browser navigation features like the back button and tab grouping. The New UI navigation lets you leverage native browser capabilities and customize tab organization according to your preferences. -
- -
-Q: What changes have been implemented that enhance my Sumo Logic experience? +### What changes have been implemented that enhance my Sumo Logic experience? * **Unified Navigation**. You'll now notice a uniform navigation system across Log Analytics, Cloud SIEM, and Cloud SOAR products, ensuring a consistent experience for Sumo Logic users engaged in both observability and security use cases. * **Improved Product Discoverability**. The left nav panel now organizes product features in a solution-centric manner, emphasizing key use cases like infrastructure monitoring, application monitoring, log analysis, security monitoring, and analytics. This reorganization aims to facilitate easier access to Sumo Logic's product features. * **Enhanced Browsing Experience and Accelerated Performance**. In-app tabs will be replaced with native browser tabs, significantly improving _First Contentful Paint_ (FCP) and _Time to Interactive_ (TTI) metrics. With this change, you'll experience faster page load times and ability to organize tabs the way you are used to with other applications. * **Stateful URLs**. Most of the page URLs will now be stateful, allowing you to easily share content with your team members. Any changes made in the UI will be reflected in the URL parameters, making it simple for you to copy and share URLs. Additionally, this feature enables users to navigate back to previous states effortlessly by using the browser. -
- -
-Q: With all Sumo Logic tabs being grouped together in one browser tab, how can I prevent an excessive amount of tabs in my browser? +### With all Sumo Logic tabs being grouped together in one browser tab, how can I prevent an excessive amount of tabs in my browser? We understand that the removal of in-app tabs in the New UI is a significant change in our user workflow, eliciting mixed feedback. While some users appreciate the convenience of consolidated tabs within the app, others question the need for this change. Addressing performance concerns, consolidating tabs aims to reduce browser clutter, albeit potentially complicating session management. For users who prefer centralized Sumo Logic tabs, we recommend utilizing [tab grouping functionality](#customize-your-environment-withtabs) for a seamless experience. | Classic UI | New UI | @@ -244,21 +233,14 @@ We understand that the removal of in-app tabs in the New UI is a significant cha | Performance degrades over long usage because user is using one browser tab. | Memory usage is distributed over different tabs. | | Tab switches reload the tab. | Tab switches won’t reload the tab. This will accelerate time to load, which is especially useful for data-rich features like Dashboards. | -
- -
-Q: Will the New UI retain the Classic UI feature of remembering previously opened tabs from my previous session? - +### Will the New UI retain the Classic UI feature of remembering previously opened tabs from my previous session? After analyzing tab usage data, we've found that a minimal portion of previously opened tabs are actively utilized by our users. Consequently, the Sumo Logic UI often remains cluttered with multiple unused tabs. With the introduction of the New UI experience, if you fail to close browser tabs from previous sessions, they will automatically reload upon login. Tab reload Moreover, we've made the **Recents** feature more prominent in the navigation bar and plan to extend it to other content types which will make it easier for users to open recently opened tabs. -
- -
-Q: How do I access the Classic UI? +### How do I access the Classic UI? The New UI is the future of Sumo Logic, offering better performance, easier navigation, and exclusive new features. While we understand that transitions take time, we strongly recommend using the New UI for the best experience. If you switch back to the Classic UI, you will not have access to: @@ -273,8 +255,6 @@ The Classic UI will be retired in 2025 and will no longer receive updates. The e We encourage you to stay in the New UI and take advantage of its benefits! -
- ## Get support For questions or issues, contact [Support](https://support.sumologic.com/) or join our [Sumo Logic Slack](https://sumodojo.slack.com/) channel. diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md index 919f9ebfd5..71390df36b 100644 --- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md +++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source.md @@ -131,12 +131,9 @@ https://github.com/SumoLogic/sumologic-documentation/blob/main/static/files/c2c/ ``` ## Troubleshooting -
- This request is throttled. Please try again after the value specified in the Retry-After header. -
- This error occurs when the API request limit (throttling threshold) is exceeded and the source makes more API calls than the limit specified in the [Microsoft documentation](https://learn.microsoft.com/en-us/graph/throttling-limits#identity-and-access-reports-service-limits). In many cases, this happens when the same credentials are used concurrently by multiple vendors or integrations. Please verify that the credentials configured for the Sumo Logic source are not shared with other platforms making API calls. -
-
+### This request is throttled. Please try again after the value specified in the Retry-After header. + +This error occurs when the API request limit (throttling threshold) is exceeded and the source makes more API calls than the limit specified in the [Microsoft documentation](https://learn.microsoft.com/en-us/graph/throttling-limits#identity-and-access-reports-service-limits). In many cases, this happens when the same credentials are used concurrently by multiple vendors or integrations. Please verify that the credentials configured for the Sumo Logic source are not shared with other platforms making API calls. ## FAQ diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md index 2e8f70fe63..5b18393c6f 100644 --- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md +++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md @@ -344,7 +344,7 @@ The client will automatically handle HTTP 429 response status codes that include
10. (Optional) **Polling Interval**. Set how frequently to poll for new data. It must be between 5 minutes and 48 hours -1. When you are finished configuring the Source, click **Save**. +11. When you are finished configuring the Source, click **Save**. ## JSON schema @@ -358,50 +358,50 @@ Sources can be configured using UTF-8 encoded JSON files with the Collector Ma ### Configuration object -| Parameter | Type | Required | Default | Description | Example | -| :------------------------- | :---------- | :------- | :---------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| name | String | Yes | `null` | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_source`. | `"mySource"` | -| description | String | No | `null` | Type a description of the source. | `"Testing source"` | -| category | String | No | `null` | Type a category of the source. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_sourceCategory`. See [best practices](/docs/send-data/best-practices) for details. | `"mySource/test"` | -| parserPath | String | No | `null` | The path to a parser name | | -| fields | JSON Object | No | `null` | JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field `_siemForward` to enable forwarding to SIEM. | `{"_siemForward": false, "fieldA": "valueA"}` | -| authCategory | String | Yes | `"Basic"` | One of currently supported authentication types. | `"Basic"`, `"ApiKey"`, `"Bearer"`, `"OAuth 2.0 Client Credentials"`, `"NoAuth"` | -| authBasicUsername | String | No | `null` | The HTTP basic authentication username. | `"collection-user"` | -| authBasicPassword | String | No | `null` | The HTTP basic authentication password. | | -| authLocation | String | Yes | `"headers"` | The location to include the HTTP authentication information. | `"headers"`, `"parameters"` | -| authKeyName | String | Yes | `"Authorization"` | The key name used to provide the authentication secret. | `"Authorization"`, `"X-API-Key"` | -| authKeyValue | String | Yes | `null` | The authentication secret value used for the `authKeyName` key. | | -| authKeyValuePrefix | String | No | `null` | An optional non-secret text prefix prepended to the `authKeyValue` secret. | `"SSWS"` | -| authBearerToken | String | Yes | `null` | The authentication bearer secret token. | | -| oauthClientId | String | Yes | `null` | Your OAuth API client id. | | -| oauthClientSecret | String | Yes | `null` | Your OAuth API client secret. | | -| oauthTokenUrl | String | Yes | `null` | Your OAuth API token URL. | | -| oauthScopes | JSON Object | No | `null` | One or more OAuth scopes. | | -| oauthParams | JSON Object | No | `null` | One or more optional HTTP request parameters when calling the OAuth API token URL. | | -| requestMethod | String | Yes | `GET` | The HTTP method used in the request. | `"GET"`, `"POST"` | -| requestEndpoint | String | Yes | `null` | The API endpoint URL excluding the URL parameters. | `"https://acme.org/api/v1/auditLogs"` | -| requestHeaders | JSON Object | No | `null` | Any HTTP request headers to include. | `"requestHeaders": [{"headerName": "Accept", "headerValue": "application/json"}, {"headerName": "Content-Type", "headerValue": "application/json"}]` | -| requestParams | JSON Object | No | `null` | Any HTTP URL parameters to include. | `"requestParams": [{"paramName": "limit", "paramValue": "1000"}, {"paramName": "since", "paramValue": "{{ .WindowStartUTC \"2006-01-02T15:04:05Z07:00\" }}"}, {"paramName": "until", "paramValue": "{{ .WindowEndUTC \"2006-01-02T15:04:05Z07:00\" }}"}` | -| requestBody | String | No | `null` | The data to include in the HTTP request body if the `POST` method is used. | | -| progressType | String | Yes | `"window"` | Select the type of progression the source will use to prevent data loss and duplication. | `"progressionType": "window"` | -| progressWindowSize | String | Yes | `"5m"` | The size of the time window. | `"windowSize": "5m"` | -| progressWindowInitLookback | String | Yes | `"24h"` | How far back the source should start collecting data when created. This setting has no affect after the initial creation. | `"windowInitialLookback": "24h"` | -| progressWindowMaxLookback | String | Yes | `"31d"` | How far the window is allowed to stagnate when encountering repetitive errors. | `"windowMaxLookback": "31d"` | -| responseLogsType | String | Yes | `"json"` | How the source should ingest logs from the response. | `"json"` | -| responseLogsJsonPaths | JSON Object | Yes | `null` | The location of logs to ingest in the JSON response and how to handle event timestamps. See [full documentation](/docs/send-data/reference-information/time-reference) for details. | `[{"logsPath": "$[*]", "logTimestampPath": "$.published", "logTimestampFormat": "2006-01-02T15:04:05.999Z", "logTimestampValueRegex": "Date\((.*)\)"}]`

**Note:** For regex, there should be at least one match group. If there is more than one match group, then only the first group will be considered. | -| paginationType | String | Yes | `"LinkHeaders"` | Pagination type `LinkHeaders`, `Offset`, or `None` | `"LinkHeaders"`, `"None"` | -| paginationLinkHeadersType | String | Yes | `"headers"` | Configures if the next page URL is included in the Link HTTP response header or in the response body. | `"headers"`, `"body"` | -| paginationLinkHeadersJPath | String | No | `null` | A JSON Path to the appropriate body property | -| paginationOffsetLocation | String | No | `parameters` | The location in the HTTP request to use the numeric offset pagination key/value pairs | -| paginationOffsetKey | String | No | `offset` | The key name for the offset to use in the HTTP request headers or parameters | -| paginationOffsetLimitKey | String | No | `limit` | The key name for the limit to use in the HTTP request headers or parameters | -| paginationOffsetLimitValue | Integer | No | `5000` | The limit value to use to restrict the results per page | `"$.link.next"` | -| clientTimeoutDuration | String | Yes | `"5m"` | How long the source allows the HTTP connection to live before closing it and setting the health to a timeout error. | `"5m"` | -| clientTimeoutRetries | Integer | Yes | `5` | The source will automatically retry without waiting for the next poll interval this many times for some errors such as 500 Internal Server. | `5` | -| clientRateLimitReqs | Integer | Yes | `1000` | The number of HTTP requests the source is allowed to make within the rate limit duration. | `1000` | -| clientRateLimitDuration | String | Yes | `"1m"` | The duration the rate limit requests, must be between 1s and 1h. | `"1m"` | -| clientRateLimitBurst | Integer | Yes | `1000` | The number of requests the source is allowed to burst. | `1000` | -| pollingInterval | String | Yes | `"5m"` | Set how frequently to poll for new data. It must be between 5 minutes and 48 hours. | `"5m"` | +| Parameter | Type | Required | Default | Description | Example | +| :-- | :-- | :-- | :-- | :--- | :-- | +| name | String | Yes | `null` | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_source`. | `"mySource"` | +| description | String | No | `null` | Type a description of the source. | `"Testing source"` | +| category | String | No | `null` | Type a category of the source. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_sourceCategory`. See [best practices](/docs/send-data/best-practices) for details. | `"mySource/test"` | +| parserPath | String | No | `null` | The path to a parser name | | +| fields | JSON Object | No | `null` | JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field `_siemForward` to enable forwarding to SIEM. | `{"_siemForward": false, "fieldA": "valueA"}` | +| authCategory | String | Yes | `"Basic"` | One of currently supported authentication types. | `"Basic"`, `"ApiKey"`, `"Bearer"`, `"OAuth 2.0 Client Credentials"`, `"NoAuth"` | +| authBasicUsername | String | No | `null` | The HTTP basic authentication username. | `"collection-user"` | +| authBasicPassword | String | No | `null` | The HTTP basic authentication password. | | +| authLocation | String | Yes | `"headers"` | The location to include the HTTP authentication information. | `"headers"`, `"parameters"` | +| authKeyName | String | Yes | `"Authorization"` | The key name used to provide the authentication secret. | `"Authorization"`, `"X-API-Key"` | +| authKeyValue | String | Yes | `null` | The authentication secret value used for the `authKeyName` key. | | +| authKeyValuePrefix | String | No | `null` | An optional non-secret text prefix prepended to the `authKeyValue` secret. | `"SSWS"` | +| authBearerToken | String | Yes | `null` | The authentication bearer secret token. | | +| oauthClientId | String | Yes | `null` | Your OAuth API client id. | | +| oauthClientSecret | String | Yes | `null` | Your OAuth API client secret. | | +| oauthTokenUrl | String | Yes | `null` | Your OAuth API token URL. | | +| oauthScopes | JSON Object | No | `null` | One or more OAuth scopes. | | +| oauthParams | JSON Object | No | `null` | One or more optional HTTP request parameters when calling the OAuth API token URL. | | +| requestMethod | String | Yes | `GET` | The HTTP method used in the request. | `"GET"`, `"POST"` | +| requestEndpoint | String | Yes | `null` | The API endpoint URL excluding the URL parameters. | `"https://acme.org/api/v1/auditLogs"` | +| requestHeaders | JSON Object | No | `null` | Any HTTP request headers to include. | `"requestHeaders": [{"headerName": "Accept", "headerValue": "application/json"}, {"headerName": "Content-Type", "headerValue": "application/json"}]` | +| requestParams | JSON Object | No | `null` | Any HTTP URL parameters to include. | `"requestParams": [{"paramName": "limit", "paramValue": "1000"}, {"paramName": "since", "paramValue": "{{ .WindowStartUTC \"2006-01-02T15:04:05Z07:00\" }}"}, {"paramName": "until", "paramValue": "{{ .WindowEndUTC \"2006-01-02T15:04:05Z07:00\" }}"}` | +| requestBody | String | No | `null` | The data to include in the HTTP request body if the `POST` method is used. | | +| progressType | String | Yes | `"window"` | Select the type of progression the source will use to prevent data loss and duplication. | `"progressionType": "window"` | +| progressWindowSize | String | Yes | `"5m"` | The size of the time window. | `"windowSize": "5m"` | +| progressWindowInitLookback | String | Yes | `"24h"` | How far back the source should start collecting data when created. This setting has no affect after the initial creation. | `"windowInitialLookback": "24h"` | +| progressWindowMaxLookback | String | Yes | `"31d"` | How far the window is allowed to stagnate when encountering repetitive errors. | `"windowMaxLookback": "31d"` | +| responseLogsType | String | Yes | `"json"` | How the source should ingest logs from the response. | `"json"` | +| responseLogsJsonPaths | JSON Object | Yes | `null` | The location of logs to ingest in the JSON response and how to handle event timestamps. See [full documentation](/docs/send-data/reference-information/time-reference) for details. | `[{"logsPath": "$[*]", "logTimestampPath": "$.published", "logTimestampFormat": "2006-01-02T15:04:05.999Z", "logTimestampValueRegex": "Date\((.*)\)"}]`

**Note:** For regex, there should be at least one match group. If there is more than one match group, then only the first group will be considered. | +| paginationType | String | Yes | `"LinkHeaders"` | Pagination type `LinkHeaders`, `Offset`, or `None` | `"LinkHeaders"`, `"None"` | +| paginationLinkHeadersType | String | Yes | `"headers"` | Configures if the next page URL is included in the Link HTTP response header or in the response body. | `"headers"`, `"body"` | +| paginationLinkHeadersJPath | String | No | `null` | A JSON Path to the appropriate body property. | +| paginationOffsetLocation | String | No | `parameters` | The location in the HTTP request to use the numeric offset pagination key/value pairs. | +| paginationOffsetKey | String | No | `offset` | The key name for the offset to use in the HTTP request headers or parameters. | +| paginationOffsetLimitKey | String | No | `limit` | The key name for the limit to use in the HTTP request headers or parameters. | +| paginationOffsetLimitValue | Integer | No | `5000` | The limit value to use to restrict the results per page. | `"$.link.next"` | +| clientTimeoutDuration | String | Yes | `"5m"` | How long the source allows the HTTP connection to live before closing it and setting the health to a timeout error. | `"5m"` | +| clientTimeoutRetries | Integer | Yes | `5` | The source will automatically retry without waiting for the next poll interval this many times for some errors such as 500 Internal Server. | `5` | +| clientRateLimitReqs | Integer | Yes | `1000` | The number of HTTP requests the source is allowed to make within the rate limit duration. | `1000` | +| clientRateLimitDuration | String | Yes | `"1m"` | The duration the rate limit requests, must be between 1s and 1h. | `"1m"` | +| clientRateLimitBurst | Integer | Yes | `1000` | The number of requests the source is allowed to burst. | `1000` | +| pollingInterval | String | Yes | `"5m"` | Set how frequently to poll for new data. It must be between 5 minutes and 48 hours. | `"5m"` | ## Dynamic values variables @@ -570,40 +570,23 @@ We recommend using [this code snippet](https://goplay.tools/snippet/WTFe5ZLU9PO) ## Troubleshooting -
- - Errors related to partial log ingestion, log preparation, timestamp extraction, or response parsing - -
- Possible resolution -
    -
  • Ensure that the HTTP Response Log Ingest Configuration matches the API response structure.
  • -
  • Verify that all configured fields exist in the API response.
  • -
  • Confirm that the API response is returned in valid JSON format.
  • -
-
-
+### Errors related to partial log ingestion, log preparation, timestamp extraction, or response parsing -
- Error getting partial logs, error preparing log, error getting timestamp data, timestamp path not in data, or error parsing response data -
- These errors are typically caused by an improper endpoint response format or incorrect log ingestion configuration. Ensure that your endpoint returns data in a valid JSON format and response fields are as per the configuration. -
-
+- Ensure that the HTTP Response Log Ingest Configuration matches the API response structure. +- Verify that all configured fields exist in the API response. +- Confirm that the API response is returned in valid JSON format. -
- oauth2: cannot parse json: invalid character -
- This error occurs due to an OAuth 2.0 authentication misconfiguration. Reconfigure the source using valid OAuth 2.0 credentials and ensure that it aligns with the steps in the [Authentication Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. -
-
+### Error getting partial logs, error preparing log, error getting timestamp data, timestamp path not in data, or error parsing response data -
- Failed to validate the base request config or error preparing new request -
- These errors indicate that the endpoint configuration is not set up correctly. Verify that your endpoint configuration follows the instructions in the [Request Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. -
-
+These errors are typically caused by an improper endpoint response format or incorrect log ingestion configuration. Ensure that your endpoint returns data in a valid JSON format and response fields are as per the configuration. + +### oauth2: cannot parse json: invalid character + +This error occurs due to an OAuth 2.0 authentication misconfiguration. Reconfigure the source using valid OAuth 2.0 credentials and ensure that it aligns with the steps in the [Authentication Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. + +### Failed to validate the base request config or error preparing new request + +These errors indicate that the endpoint configuration is not set up correctly. Verify that your endpoint configuration follows the instructions in the [Request Configuration](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source#source-configuration) section. ## FAQ @@ -611,18 +594,14 @@ We recommend using [this code snippet](https://goplay.tools/snippet/WTFe5ZLU9PO) Click [here](/docs/c2c/info) for more information about Cloud-to-Cloud sources. ::: -
- What if I want to query multiple HTTP endpoints? -
You will need to create a new source per endpoint for the data you wish to collect, even if the endpoint is within the same API.
-
-
- Can I transform the data collected? -
No, this source only collects the data. You can use the Sumo Logic platform features to parse/transform the data further after collection.
-
-
- What timestamp is used for the data? -
If you leave the time parsing configuration blank, it will cause the source to use current time for the collected logs. Be sure to configure the HTTP response log ingestion configuration section to ensure time parsing is correctly handled. The source will enter an error health status if time parsing is configured and is unsuccessful.
-
+### What if I want to query multiple HTTP endpoints? +You will need to create a new source per endpoint for the data you wish to collect, even if the endpoint is within the same API. + +### Can I transform the data collected? +No, this source only collects the data. You can use the Sumo Logic platform features to parse/transform the data further after collection. + +### What timestamp is used for the data? +If you leave the time parsing configuration blank, it will cause the source to use current time for the collected logs. Be sure to configure the HTTP response log ingestion configuration section to ensure time parsing is correctly handled. The source will enter an error health status if time parsing is configured and is unsuccessful. :::note By default, this source supports up to *512 MB* of memory in a single API response. For higher limits or additional requirements, contact Sumo Logic Support.