Snyk Logs
Panther supports pulling logs directly from Snyk

Overview

Panther has the ability to fetch Snyk audit logs by querying the Snyk Audit API. Panther is specifically monitoring the following Snyk events:
  • User logged in and out of Snyk
  • User's role was changed in Snyk
  • License policy was modified and by whom
  • Service account was created or deleted.

How to onboard Snyk logs to Panther

Prerequisites

Step 1: Generate an API token in Snyk

  1. 1.
  2. 2.
    Go to Account Settings > General.
  3. 3.
    Locate the "Auth Token" section. In the KEY field, click click to show, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.
To set an API token to be read-only and unable to write to the platform, use a service account and set it to Group Viewer. For more information see Snyk's Service accounts documentation.

Step 2: Create a new Snyk log source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Snyk from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter in a descriptive name for the source e.g. My Snyk logs.
  6. 6.
    Click Continue Setup.
  7. 7.
    On the Set Credentials page, fill in the form:
    • Enter in your Snyk's organization ID.
    • Paste the API token from your Snyk account into the API token field.
    • Click Continue Setup.
  8. 8.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  9. 9.
    Click Finish Setup.
Note: By default, Snyk logs do not contain human-readable values for objects such as vaults and login credentials. Please see our guide about using Lookup Tables to translate Universally Unique Identifier (UUID) values into human-readable names.

Supported log types

Required fields in the schemas are listed as "required: true" just below the "name" field.

Snyk.GroupAudit

Snyk.GroupAudit item usage.
schema: Snyk.GroupAudit
parser:
native:
name: Snyk.GroupAudit
description: Audit logs of your group.
referenceURL: https://snyk.docs.apiary.io/#reference/audit-logs/get-group-level-audit-logs
version: 0
fields:
- name: groupId
required: true
description: The group id
type: string
- name: orgId
required: true
description: The organization id
type: string
- name: userId
required: true
description: The user id
type: string
indicators:
- username
- name: projectId
description: The project id
type: string
- name: event
required: true
description: The event type
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: content
description: The content relating to the event
type: json

Snyk.OrgAudit

Snyk.OrgAudit item usage.
schema: Snyk.OrgAudit
parser:
native:
name: Snyk.OrgAudit
description: Audit logs of your organization.
referenceURL: https://snyk.docs.apiary.io/#reference/audit-logs/organization-level-audit-logs/get-organization-level-audit-logs
version: 0
fields:
- name: groupId
required: true
description: The group id
type: string
- name: orgId
required: true
description: The organization id
type: string
- name: userId
required: true
description: The user id
type: string
indicators:
- username
- name: projectId
description: The project id
type: string
- name: event
required: true
description: The event type
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: content
description: The content relating to the event
type: json
Copy link
On this page
Overview
How to onboard Snyk logs to Panther
Prerequisites
Step 1: Generate an API token in Snyk
Step 2: Create a new Snyk log source in Panther
Supported log types
Snyk.GroupAudit
Snyk.OrgAudit