# Snyk Logs ## Overview Panther has the ability to fetch Snyk audit logs by querying the [Snyk Audit API](https://docs.snyk.io/snyk-api/reference/audit-logs). Panther monitors all events listed in the [Snyk Audit Logs documentation](https://docs.snyk.io/snyk-api/reference/audit-logs) except `api.access` events. Instead of `api.access` events, it is recommended to use Snyk's explicit action logs, as they contain richer contextual information for each action. {% hint style="warning" %} By default, Snyk logs do not contain human-readable values for objects such as vaults and login credentials. Please [see this Lookup Table guide](https://docs.panther.com/guides/using-lookup-tables-1password-uuids) to learn how to translate Universally Unique Identifier (UUID) values into human-readable names. {% endhint %} #### Video overview {% embed url="" %} ## How to onboard Snyk logs to Panther ### Step 1: Generate an API token in Snyk To use the Snyk API, you must first retrieve an API token from Snyk. For more information on using Snyk's API, see the [Snyk documentation: Authentication for API](https://docs.snyk.io/snyk-api-info/authentication-for-api). {% hint style="info" %} Alternatively, you can use a service account that has a role with audit log access. For more information, see [Snyk's Service accounts documentation](https://docs.snyk.io/enterprise-setup/service-accounts#set-up-a-group-or-organization-level-service-account). {% endhint %} 1. Log in to [your Snyk account](https://app.snyk.io/account). 2. Go to **Account Settings > General.** 3. Locate the **API Token** section. In the **KEY** field, click **click to show**, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.\ ![In Snyk, the API Token section is displayed. There is a field labeled "Key," and inside the field there is text that says "Click to show." On the right, there is a red button labeled "Revoke and Regenerate."](/files/MblPLA0oQY9m9Ec672k7) ### Step 2: Create a new Snyk log source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New.** 3. Search for “Synk,” then click its tile. 4. On the slide-out panel, click **Start Setup**. 5. On the next screen, enter in a descriptive name for the source e.g. `My Snyk logs`. 6. Click **Setup.** 7. On the **Set Credentials** page, fill in the form: * **Organization Id**: Enter your Snyk organization ID. * **API Token**: Enter the API token from your Snyk account. 8. Click **Setup**. You will be directed to a success screen:\\

The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"

* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs). * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

## Supported log types ### Snyk.GroupAudit Snyk.GroupAudit item usage. Reference: ```yaml schema: Snyk.GroupAudit description: Audit logs of your group. referenceURL: https://docs.snyk.io/snyk-api/reference/audit-logs fields: - name: groupId description: The group id type: string - name: orgId description: The organization id type: string - name: userId description: The user id type: string indicators: - actor_id - name: projectId description: The project id type: string - name: event required: true description: The event type type: string - name: created required: true description: The date and time of the event in rfc3339 standard format type: timestamp timeFormats: - rfc3339 isEventTime: true - name: content description: The content relating to the event type: json ``` ### Snyk.OrgAudit Snyk.OrgAudit item usage. Reference: ```yaml schema: Snyk.OrgAudit description: Audit logs of your organization. referenceURL: https://docs.snyk.io/snyk-api/reference/audit-logs fields: - name: groupId description: The group id type: string - name: orgId description: The organization id type: string - name: userId description: The user id type: string indicators: - actor_id - name: projectId description: The project id type: string - name: event required: true description: The event type type: string - name: created required: true description: The date and time of the event in rfc3339 standard format type: timestamp timeFormats: - rfc3339 isEventTime: true - name: content description: The content relating to the event type: json ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/snyk.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.