Snyk Logs
Panther supports pulling logs directly from Snyk
Overview
Panther has the ability to fetch Snyk audit logs by querying the Snyk Audit API.
Panther monitors all events listed in the Snyk Audit Logs documentation except api.access events. Instead of api.access events, it is recommended to use Snyk's explicit action logs, as they contain richer contextual information for each action.
By default, Snyk logs do not contain human-readable values for objects such as vaults and login credentials. Please see this Lookup Table guide to learn how to translate Universally Unique Identifier (UUID) values into human-readable names.
Video overview
How to onboard Snyk logs to Panther
Step 1: Generate an API token in Snyk
To use the Snyk API, you must first retrieve an API token from Snyk. For more information on using Snyk's API, see the Snyk documentation: Authentication for API.
Log in to your Snyk account.
Go to Account Settings > General.
Locate the API Token section. In the KEY field, click click to show, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.
Step 2: Create a new Snyk log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Synk,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter in a descriptive name for the source e.g.
My Snyk logs.Click Setup.
On the Set Credentials page, fill in the form:
Organization Id: Enter your Snyk organization ID.
API Token: Enter the API token from your Snyk account.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Snyk.GroupAudit
Snyk.GroupAudit item usage. Reference: https://docs.snyk.io/snyk-api/reference/audit-logs
schema: Snyk.GroupAudit
description: Audit logs of your group.
referenceURL: https://docs.snyk.io/snyk-api/reference/audit-logs
fields:
- name: groupId
description: The group id
type: string
- name: orgId
description: The organization id
type: string
- name: userId
description: The user id
type: string
indicators:
- actor_id
- name: projectId
description: The project id
type: string
- name: event
required: true
description: The event type
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: content
description: The content relating to the event
type: jsonSnyk.OrgAudit
Snyk.OrgAudit item usage. Reference: https://docs.snyk.io/snyk-api/reference/audit-logs
schema: Snyk.OrgAudit
description: Audit logs of your organization.
referenceURL: https://docs.snyk.io/snyk-api/reference/audit-logs
fields:
- name: groupId
description: The group id
type: string
- name: orgId
description: The organization id
type: string
- name: userId
description: The user id
type: string
indicators:
- actor_id
- name: projectId
description: The project id
type: string
- name: event
required: true
description: The event type
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: content
description: The content relating to the event
type: jsonLast updated
Was this helpful?