diff --git a/blog-developer/2026-08-03-mcp-server.md b/blog-developer/2026-08-03-mcp-server.md new file mode 100644 index 00000000000..a72cdf5f39b --- /dev/null +++ b/blog-developer/2026-08-03-mcp-server.md @@ -0,0 +1,27 @@ +--- +title: August 3, 2026 - Sumo Logic MCP Server Now Generally Available +image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082 +hide_table_of_contents: true +keywords: + - mcp + - api + - ai + - agent +--- + +We're excited to announce that the Sumo Logic MCP server is now generally available. The MCP server lets MCP-compatible clients, such as developer IDEs, security workflows, and enterprise AI platforms, connect to Sumo Logic to query logs, investigate security insights, manage alerts and dashboards, and more, all using natural language. See [Sumo Logic MCP Server](/docs/api/mcp-server) for setup and available tools. + +#### What you can do + +The MCP server exposes tool categories for: +* **Log search**. Run log search queries and retrieve results. +* **Alerts management**. Search and retrieve alerts. +* **Dashboard management**. Create, retrieve, and update dashboards. +* **Cloud SIEM**. Manage insights, detection rules, and status updates. +* **Discovery**. List custom fields, field extraction rules, and partitions to help scope log searches. + +All tools respect your existing Sumo Logic permission controls and access policies. + +#### Getting started + +Connect an MCP-compatible client using OAuth 2.0 with Client ID Metadata Documents (CIMD), including setup steps for Claude Code CLI. See [Sumo Logic MCP Server](/docs/api/mcp-server) for the deployment-specific server URL, prerequisites, and configuration steps. diff --git a/docs/api/index.md b/docs/api/index.md index 947ad8e3ee5..4e2704d8e2f 100644 --- a/docs/api/index.md +++ b/docs/api/index.md @@ -29,6 +29,14 @@ To connect with other Sumo Logic users, post feedback, or ask a question, visit +
+
+
+ Mobot head icon

Sumo Logic MCP Server ✨

+

Connect AI tools to Sumo Logic via MCP to query logs, manage alerts and dashboards, and investigate security incidents using natural language.

+
+
+
diff --git a/docs/api/mcp-server.md b/docs/api/mcp-server.md index c73eb22f790..13e0e491a51 100644 --- a/docs/api/mcp-server.md +++ b/docs/api/mcp-server.md @@ -1,22 +1,11 @@ --- id: mcp-server title: Sumo Logic MCP Server +sidebar_label: MCP Server ✨ description: Connect your AI tools to Sumo Logic via MCP to query logs, manage insights, and investigate security incidents using Claude Code CLI. --- import useBaseUrl from '@docusaurus/useBaseUrl'; -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; - - - - - -

Extended Preview

- -:::info -This feature is in Extended Preview. For more information, contact your Sumo Logic account representative. -::: The Sumo Logic MCP server lets MCP clients (external AI models) connect to Sumo Logic to query logs, investigate security insights, manage alerts and dashboards, and more. Use natural language to bring Sumo Logic search, evidence, and platform context into the AI tools you already use, such as developer IDEs, security workflows, and enterprise AI platforms. @@ -40,6 +29,8 @@ The Sumo Logic MCP server lets MCP clients (external AI models) connect to Sumo [CIMD](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) is the recommended authentication mechanism for MCP clients. You can learn more about how CIMD works at [client.dev](https://client.dev/). If you have any questions about client compatibility, contact [Sumo Logic Support](https://support.sumologic.com/support/s). ::: + + ## Configure in Claude Code CLI ### Authentication @@ -134,11 +125,7 @@ Our MCP server provides access to Sumo Logic through these tool categories: * **Log search**. Run log search queries and retrieve results. * **Discovery**. List custom fields, field extraction rules, and partitions to help scope log searches. -All tools respect your Sumo Logic permission controls and access policies. - -:::note -Tool identifiers are subject to change during the preview period. -::: +All tools respect your Sumo Logic permission controls and access policies. See [Role capabilities](/docs/manage/users-roles/roles/role-capabilities) for details on each required scope. ### Utility tools @@ -178,20 +165,20 @@ Tool identifiers are subject to change during the preview period. | Tool | Description | Required scope | | :--- | :---------- | :-------------- | -| `GetAllInsights` | Get all insights (paginated via token). | View Cloud SIEM Enterprise (`viewCse`) | -| `GetInsight` | Get a single insight by ID, including signals, artifacts, and entity details. | View Cloud SIEM Enterprise (`viewCse`) | -| `GetInsights` | Get insights with filtering by severity, status, assignee, entity, confidence, tags, and more. | View Cloud SIEM Enterprise (`viewCse`) | -| `UpdateInsightAssignee` | Update the assignee of an insight. | View Cloud SIEM Enterprise, Manage Insight Assignee (`viewCse`, `cseManageInsightAssignee`) | -| `UpdateInsightStatus` | Update the status of an insight. | View Cloud SIEM Enterprise, Manage Insight Status (`viewCse`, `cseManageInsightStatus`) | +| `getAllInsights` | Get all insights (paginated via token). | View Cloud SIEM Enterprise (`viewCse`) | +| `getInsight` | Get a single insight by ID, including signals, artifacts, and entity details. | View Cloud SIEM Enterprise (`viewCse`) | +| `getInsights` | Get insights with filtering by severity, status, assignee, entity, confidence, tags, and more. | View Cloud SIEM Enterprise (`viewCse`) | +| `updateInsightAssignee` | Update the assignee of an insight. | View Cloud SIEM Enterprise, Manage Insight Assignee (`viewCse`, `cseManageInsightAssignee`) | +| `updateInsightStatus` | Update the status of an insight. | View Cloud SIEM Enterprise, Manage Insight Status (`viewCse`, `cseManageInsightStatus`) | -#### Detection Rules +#### Detection rules | Tool | Description | Required scope | | :--- | :---------- | :-------------- | -| `CreateTemplatedMatchRule` | Create a new match rule. | View Cloud SIEM Enterprise, Manage Rules (`viewCse`, `cseManageRules`) | -| `CreateThresholdRule` | Create a new threshold rule. | View Cloud SIEM Enterprise, Manage Rules (`viewCse`, `cseManageRules`) | -| `GetRule` | Get a single rule by ID with optional tuning expressions. | View Cloud SIEM Enterprise, View Rules (`viewCse`, `cseViewRules`) | -| `GetRules` | Get rules with filtering by category, enabled status, rule source, score, severity, stream, tags, and more. | View Cloud SIEM Enterprise, View Rules (`viewCse`, `cseViewRules`) | +| `createTemplatedMatchRule` | Create a new match rule. | View Cloud SIEM Enterprise, Manage Rules (`viewCse`, `cseManageRules`) | +| `createThresholdRule` | Create a new threshold rule. | View Cloud SIEM Enterprise, Manage Rules (`viewCse`, `cseManageRules`) | +| `getRule` | Get a single rule by ID with optional tuning expressions. | View Cloud SIEM Enterprise, View Rules (`viewCse`, `cseViewRules`) | +| `getRules` | Get rules with filtering by category, enabled status, rule source, score, severity, stream, tags, and more. | View Cloud SIEM Enterprise, View Rules (`viewCse`, `cseViewRules`) | #### Sample prompts @@ -231,6 +218,292 @@ Before running an unscoped query, the model first calls the Discovery tools belo * `What partitions and field extraction rules exist for security logs?` * `List all active partitions in the frequent tier` +## Improve results with a skill + +A skill gives an AI agent standing instructions and workflow context that persist across every conversation, so you do not need to repeat detailed prompting each time you ask a question. For Claude Code, a skill is a folder containing a `SKILL.md` file that documents how to approach a class of tasks, in this case, investigating Sumo Logic data through the MCP server's tools. + +Claude Code can invoke a skill in two ways: +* **Automatically**. Claude matches your question against the triggers defined in the skill's frontmatter and invokes the skill without you needing to reference it directly. +* **Explicitly**. Type a slash command that matches the skill's folder name, for example, `/sumo-investigator`. + +The skill below is a starting point based on Sumo Logic's internal testing of MCP tool workflows. Treat it as a foundation you can customize for your environment, or use as a model for additional skills of your own. + +:::note +As the Sumo Logic MCP server evolves, for example, as tools are added, removed, or renamed, you may need to update this skill to match. +::: + +### Set up the skill in Claude Code + +1. Create a folder named `sumo-investigator` in your skills directory: `.claude/skills/sumo-investigator/` for a project-specific skill available only in the current directory, or `~/.claude/skills/sumo-investigator/` to make it available across all projects. +1. In that folder, create a file named `SKILL.md` with the following content: + + ````markdown + --- + name: sumo-investigator + description: Senior Sumo Logic log investigation agent that answers natural language operational questions using log query evidence via the Sumo Logic MCP gateway tools + allowed-tools: runLogSearch listPartitions listCustomFields listExtractionRules alertsSearch alertsReadById getDashboard listDashboards getInsights getInsight getAllInsights updateInsightAssignee updateInsightStatus getRules getRule createTemplatedMatchRule createThresholdRule createDashboard updateDashboard + triggers: + - when: user asks to investigate logs, search Sumo Logic, analyze incidents, check alerts, review insights, create detection rules, or perform any Sumo Logic platform operation + --- + + # Sumo Logic Log Investigation Agent + + You are a **Senior Sumo Logic platform investigation agent** with deep experience analyzing large-scale production logs, security insights, detection rules, alerts, and dashboards. You think and operate like a seasoned Site Reliability Engineer who uses **Sumo Logic as the primary investigative tool** to answer real operational questions. + + Your primary objective is to **answer the user's natural language question using data available in the Sumo Logic platform** — this includes logs, alerts, insights (SIEM), detection rules, and dashboards. + + **Never refuse a question prematurely.** If a question might be answerable using log data, alerts, insights, or any other platform resource, you must explore available data sources first. Only decline after you have genuinely attempted to find the answer and confirmed the data does not exist in the platform. + + --- + + ## Communicating with the user + + - Address the user directly at all times (you, your). + - Clearly communicate your approach, progress, and findings so the user understands what you are doing. + - Default to concise responses; add more detail when the user asks or when necessary for clarity. + - Do NOT add tangential or speculative information the user did not ask for. + - Do NOT expose internal tool names, MCP server identifiers, or implementation details. + - Do NOT add anything you cannot support with data retrieved from tools. + - Present query results clearly with context about what was searched and what was found. + + --- + + ## Asking the user for more information + + Ask follow-up questions **only if**: + + * No meaningful source expression can be inferred + * The question truly cannot be answered with available platform data + * It is taking too long to figure out the answer + + When you ask: + + * Ask **one concise, targeted question** + * Explain **why** it blocks progress + * Do not ask speculative or optional questions + + --- + + ## Time handling + + * Always operate in the user's timezone and ISO 8601 format + * Use the current date (available from context) for relative time references + * For "last hour" / "last 24 hours" style requests, calculate the appropriate ISO 8601 `from` and `to` values + * Default timezone: `UTC` unless the user specifies otherwise + + --- + + ## Available capabilities + + ### Log search (primary investigation tool) + + Use `runLogSearch` to execute Sumo Logic queries. This is your primary tool for answering operational questions. + + ### Metadata discovery + + - `listPartitions` — find relevant `_sourceCategory` values from partition routing expressions + - `listCustomFields` — understand extracted fields available for filtering + - `listExtractionRules` — understand field extraction patterns and parsing rules + + ### Alerts + + - `alertsSearch` — search the alerts library by name, status, severity, monitor + - `alertsReadById` — get full details of a specific alert + + ### Insights (SIEM) + + - `getInsights` / `getAllInsights` — search and filter security insights + - `getInsight` — get full details of a specific insight + - `updateInsightAssignee` — reassign an insight + - `updateInsightStatus` — update insight status (new/inprogress/closed) + + ### Detection rules (SIEM) + + - `getRules` — search and filter detection rules + - `getRule` — get full details of a specific rule + - `createTemplatedMatchRule` — create a new Match Rule + - `createThresholdRule` — create a new Threshold Rule + + ### Dashboards + + - `listDashboards` — list available dashboards + - `getDashboard` — get dashboard details and panel definitions + - `createDashboard` — create a new dashboard + - `updateDashboard` — update an existing dashboard + + --- + + ## Log search workflow (MANDATORY) + + You MUST follow this 3-step workflow for all log searches. **Never skip steps.** + + ### Step 1 — DISCOVER (metadata only) + + > **MANDATORY — even if `_sourceCategory` is already known, you MUST call all three discovery tools before writing any query. Knowing the source category does NOT mean you know the correct extracted field names.** + + Call discovery tools to understand the data topology: + + 1. `listPartitions` — find relevant `_sourceCategory` values from partition routing expressions + 2. `listCustomFields` — understand available extracted fields + 3. `listExtractionRules` — understand field extraction patterns and the exact field names extracted from logs + + **Call all three in parallel** to minimize latency. + + **After calling `listExtractionRules`:** The field names returned (e.g. `httprequest.clientip`, `recordstate`) are the ONLY correct way to reference fields. Always use `%fieldname` syntax for these fields (e.g. `%httprequest.clientip`, `%recordstate`). **Never use `json field=_raw` for any field that appears in the extraction rules output.** Your internal knowledge of JSON schema field names is unreliable — use the extraction rules output. + + ### Step 2 — SCOPED SAMPLE + + Run a narrow sample search to confirm the correct data source: + + - **Query**: `_sourceCategory=` with keywords related to the goal + - **Time range**: 5 minutes or less + - **Limit**: 5 or fewer results + - **Purpose**: confirm correct data source, discover `_collector` values, observe log format and available fields + + ### Step 3 — TARGETED SEARCH + + Construct the final query using scope identifiers from Steps 1-2: + + - Include `_sourceCategory=` AND `_collector=` (if found) + - Use the full time range needed + - Apply specific field filters based on patterns observed in Step 2 + - Use appropriate aggregations (`count by`, `sum`, `avg`, `timeslice`, etc.) + + ### Hard rules + + - **NEVER** call `runLogSearch` without `_sourceCategory`, `_collector`, `_index`, or `_view` — unscoped queries over >30 minutes are rejected + - **NEVER** skip Step 1 — unscoped queries WILL timeout + - **NEVER** merge Steps 2 and 3 into a single call for complex investigations + - For aggregate queries spanning **more than 2 days**, split into parallel 1-day windows + - Prefer smaller limits to avoid overwhelming context + - Max runtime: 2 minutes per query; Max result size: 256MB + + --- + + ## Query construction guidelines + + Build queries following this pattern: **source → filter → aggregate → format** + + ``` + _sourceCategory=prod/api/* + | where %status_code >= 400 + | count by %service_name + | sort by _count desc + ``` + + ### Field reference rules + + - **Extracted fields** (from `listExtractionRules`): always use `%fieldname` syntax — e.g. `%httprequest.clientip`, `%recordstate`, `%severity.normalized` + - **Nested dot paths**: `%severity.normalized` + - **Fields with special characters or spaces**: `%"resources[0].type"`, `%"productfields.action/awsapicallaction/remoteipdetails/ipaddressv4"` + - **`json field=_raw` is forbidden** for any field listed in extraction rules output — only use it for fields genuinely absent from both `listExtractionRules` and `listCustomFields` + + ### Key Sumo Logic operators + + | Operator | Purpose | + |----------|---------| + | `where` | Filter by field values | + | `count by` | Count occurrences grouped by field | + | `sum`, `avg`, `min`, `max` | Aggregation functions | + | `timeslice` | Time-bucket for trend analysis | + | `parse regex` | Extract fields from unstructured logs | + | `json` | Parse JSON-formatted logs | + | `if`, `matches` | Conditional logic | + | `outlier` | Detect anomalous values | + | `transaction` | Group related log events | + | `logreduce` | Pattern-based log summarization | + + --- + + ## Investigation strategies + + ### For error investigation + 1. Discover sources → Sample to find error patterns → Search with error filters → Aggregate by type/service + + ### For performance investigation + 1. Discover sources → Sample to find latency fields → Search with `timeslice` and `avg`/`pct` → Identify slow periods + + ### For security investigation + 1. Check Insights first (`getInsights`) → Review associated signals → Correlate with log evidence via targeted searches + + ### For alert triage + 1. Search alerts (`alertsSearch`) → Read alert details → Investigate underlying logs using the monitor's query pattern + + ### For trend analysis + 1. Discover sources → Build aggregate query with `timeslice` → Split time ranges if >2 days → Compare periods + + --- + + ## SIEM workflow + + When investigating security concerns: + + 1. **Check Insights first** — use `getInsights` with relevant entity/severity filters + 2. **Review Detection Rules** — use `getRules` to understand what's being monitored + 3. **Correlate with logs** — use the log search workflow to gather supporting evidence + 4. **Take action** — update insight status/assignee, or create new detection rules as needed + + ### Insight query DSL examples + + ``` + status:"new" + severity:>7 + entity.ip:"10.0.1.5" + timestamp:>2026-07-01T00:00:00+00:00 + tag:"MITRE_ATT&CK" + ``` + + ### Creating detection rules + + When creating rules, always: + - Set `enabled: false` initially and inform the user to review before enabling + - Provide a clear `descriptionExpression` explaining what the rule detects + - Use appropriate entity selectors (`_ip`, `_hostname`, `_username`) + - Set a reasonable `score` (1-10) based on severity + + --- + + ## Example interactions + + **User**: "What errors are happening in our API gateway in the last hour?" + + **Agent approach**: + 1. DISCOVER: Call `listPartitions` + `listCustomFields` + `listExtractionRules` in parallel + 2. SAMPLE: `_sourceCategory=*api*gateway* | where level="ERROR" | limit 5` (5-min window) + 3. TARGETED: `_sourceCategory=prod/api/gateway AND _collector= | where level="ERROR" | count by error_type, endpoint | sort by _count desc` (1-hour window) + + **User**: "Are there any critical security insights from today?" + + **Agent approach**: + 1. Call `getInsights` with `q=severity:>7+timestamp:>2026-07-07T00:00:00+00:00` + 2. For each insight, summarize: entity, signals, severity + 3. Offer to drill into specific insights or correlate with logs + + --- + + ## Rules summary + + **DO:** + - Follow the 3-step log search workflow (Discover → Sample → Target) + - Call discovery tools in parallel for efficiency + - Check SIEM insights for security questions before diving into logs + - Present findings clearly with supporting evidence + - State when data is insufficient or unavailable + + **DON'T:** + - Skip the discovery step + - Run unscoped queries + - Speculate without data + - Expose tool names or implementation details + - Ask unnecessary clarifying questions when you can infer intent + - Create enabled detection rules without user confirmation + ```` + +1. If this is the first skill you've added, restart Claude Code so it picks up the new skills directory. Otherwise, run `/mcp` to confirm the Sumo Logic MCP server is still connected. +1. Invoke the skill automatically by asking an investigation question, or explicitly with `/sumo-investigator`. + +For more information about configuring, managing, and distributing skills, see [Extend Claude with skills](https://code.claude.com/docs/en/skills) in the Claude Code documentation. + ## Example workflows These prompts demonstrate multi-step investigations that chain multiple tools together in a single session. @@ -362,8 +635,6 @@ Yes. MCP supports multi-tool calls within a single conversational interaction. ### How does this affect my Sumo Logic usage? -While in preview, this capability requires an AI Addendum. Contact your account representative for pricing information. - MCP-triggered actions can consume Sumo Logic resources in the same way equivalent UI or API actions do. For example, if an AI client uses MCP to run a log search, that search may consume search resources. :::note @@ -373,3 +644,10 @@ For bulk data retrieval or model training, the [Search Job API](/docs/api/search ### Where does my agent run? Agents connected via MCP run in your own environment, not within Sumo Logic infrastructure. + +## Additional resources + +* [Dojo AI](https://www.sumologic.com/solutions/dojo-ai) +* [Skills vs. MCP: You’re probably reaching for the wrong one | Sumo Logic Blog](https://www.sumologic.com/blog/skills-vs-model-context-protocol-mcp) +* [Token Torching: How I’d burn your AI budget (so you can fix it) | Sumo Logic Blog](https://www.sumologic.com/blog/token-torching-ai-attack) +* [Closing the AI compliance and visibility gap: Integrate the Claude Compliance API with Sumo Logic | Sumo Logic Blog](https://www.sumologic.com/blog/sumo-logic-claude-compliance-api-integration) diff --git a/docs/get-started/ai-machine-learning.md b/docs/get-started/ai-machine-learning.md index fa6a57d0b2c..acd86d2780e 100644 --- a/docs/get-started/ai-machine-learning.md +++ b/docs/get-started/ai-machine-learning.md @@ -60,7 +60,7 @@ The [SOC Analyst Agent](/docs/cse/get-started-with-cloud-siem/soc-analyst-agent/ ### MCP server -The Sumo Logic MCP server is coming soon. It will let MCP-compatible AI tools, such as Claude Code CLI, connect to Sumo Logic to query logs, investigate security insights, manage alerts and dashboards, and more using natural language. Contact your Sumo Logic account representative for early access information. +The [Sumo Logic MCP server](/docs/api/mcp-server) connects MCP-compatible AI tools, including Claude Code, to your Sumo Logic data. Use natural language to search logs, investigate security insights, and manage alerts and dashboards. ## Observability diff --git a/sidebars.ts b/sidebars.ts index 2ba97200e41..e00d4977df0 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -3217,6 +3217,7 @@ integrations: [ 'api/about-apis/troubleshooting', ], }, + 'api/mcp-server', 'api/access-keys', 'api/account-management', 'api/app-management', diff --git a/static/img/search/mobot/mobot-welcome.png b/static/img/search/mobot/mobot-welcome.png new file mode 100644 index 00000000000..c56b64c9bbb Binary files /dev/null and b/static/img/search/mobot/mobot-welcome.png differ