# Snyk Logs

## Overview

Panther has the ability to fetch Snyk audit logs by querying the [Snyk Audit API](https://docs.snyk.io/snyk-api/reference/audit-logs).

Panther monitors all events listed in the [Snyk Audit Logs documentation](https://docs.snyk.io/snyk-api/reference/audit-logs) except `api.access` events. Instead of `api.access` events, it is recommended to use Snyk's explicit action logs, as they contain richer contextual information for each action.

{% hint style="warning" %}
By default, Snyk logs do not contain human-readable values for objects such as vaults and login credentials. Please [see this Lookup Table guide](https://docs.panther.com/guides/using-lookup-tables-1password-uuids) to learn how to translate Universally Unique Identifier (UUID) values into human-readable names.
{% endhint %}

#### Video overview

{% embed url="<https://www.youtube.com/watch?v=IC6pHT2qkE8>" %}

## How to onboard Snyk logs to Panther

### Step 1: Generate an API token in Snyk

To use the Snyk API, you must first retrieve an API token from Snyk. For more information on using Snyk's API, see the [Snyk documentation: Authentication for API](https://docs.snyk.io/snyk-api-info/authentication-for-api).

{% hint style="info" %}
Alternatively, you can use a service account that has a role with audit log access. For more information, see [Snyk's Service accounts documentation](https://docs.snyk.io/enterprise-setup/service-accounts#set-up-a-group-or-organization-level-service-account).
{% endhint %}

1. Log in to [your Snyk account](https://app.snyk.io/account).
2. Go to **Account Settings > General.**
3. Locate the **API Token** section. In the **KEY** field, click **click to show**, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.\
   ![In Snyk, the API Token section is displayed. There is a field labeled "Key," and inside the field there is text that says "Click to show." On the right, there is a red button labeled "Revoke and Regenerate."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6f642406c2530ebe9b9daab7b0f0728adac92fe2%2Fimage%20\(12\)%20\(1\)%20\(1\)%20\(2\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\).png?alt=media)

### Step 2: Create a new Snyk log source in Panther

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Search for “Synk,” then click its tile.
4. On the slide-out panel, click **Start Setup**.
5. On the next screen, enter in a descriptive name for the source e.g. `My Snyk logs`.
6. Click **Setup.**
7. On the **Set Credentials** page, fill in the form:
   * **Organization Id**: Enter your Snyk organization ID.
   * **API Token**: Enter the API token from your Snyk account.
8. Click **Setup**. You will be directed to a success screen:\\

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e55cedf82c6a6adc66ec5c14ebdcb164c3b1dcca%2FScreenshot%202023-08-03%20at%204.33.30%20PM.png?alt=media" alt="The success screen reads, &#x22;Everything looks good! Panther will now automatically pull &#x26; process logs from your account&#x22;" width="281"><figcaption></figcaption></figure>

   * You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
   * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

     <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c48119abd559990173004bde99ff4907fdd2ded2%2FScreenshot%202023-08-03%20at%204.26.54%20PM.png?alt=media" alt="The &#x22;Trigger an alert when no events are processed&#x22; toggle is set to YES. The &#x22;How long should Panther wait before it sends you an alert that no events have been processed&#x22; setting is set to 1 Day" width="320"><figcaption></figcaption></figure>

## Supported log types

### Snyk.GroupAudit

Snyk.GroupAudit item usage. Reference: <https://docs.snyk.io/snyk-api/reference/audit-logs>

```yaml
schema: Snyk.GroupAudit
description: Audit logs of your group.
referenceURL: https://docs.snyk.io/snyk-api/reference/audit-logs
fields:
  - name: groupId
    description: The group id
    type: string
  - name: orgId
    description: The organization id
    type: string
  - name: userId
    description: The user id
    type: string
    indicators:
      - actor_id
  - name: projectId
    description: The project id
    type: string
  - name: event
    required: true
    description: The event type
    type: string
  - name: created
    required: true
    description: The date and time of the event in rfc3339 standard format
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: content
    description: The content relating to the event
    type: json
```

### Snyk.OrgAudit

Snyk.OrgAudit item usage. Reference: <https://docs.snyk.io/snyk-api/reference/audit-logs>

```yaml
schema: Snyk.OrgAudit
description: Audit logs of your organization.
referenceURL: https://docs.snyk.io/snyk-api/reference/audit-logs
fields:
  - name: groupId
    description: The group id
    type: string
  - name: orgId
    description: The organization id
    type: string
  - name: userId
    description: The user id
    type: string
    indicators:
      - actor_id
  - name: projectId
    description: The project id
    type: string
  - name: event
    required: true
    description: The event type
    type: string
  - name: created
    required: true
    description: The date and time of the event in rfc3339 standard format
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: content
    description: The content relating to the event
    type: json
```