# Snyk Logs ## Overview Panther has the ability to fetch Snyk audit logs by querying the [Snyk Audit API](https://snyk.docs.apiary.io/#reference/audit-logs). Panther is specifically monitoring the following Snyk events: * User logged in and out of Snyk * User's role was changed in Snyk * License policy was modified and by whom * Service account was created or deleted. Note that a latency of up to 24 hours is possible due to Snyk Audit and Group log pagination. To avoid duplicate or lost data, Panther pulls Snyk logs once a day. ## How to onboard Snyk logs to Panther ### Prerequisites * To use the Snyk API, you must first get your API token from Snyk. For more information on using Snyk's API, see the [Snyk documentation: Authentication for API](https://docs.snyk.io/snyk-api-info/authentication-for-api). ### Step 1: Generate an API token in Snyk 1. Log in to [your Snyk account](https://app.snyk.io/account). 2. Go to **Account Settings > General.** 3. Locate the "Auth Token" section. In the KEY field, click **click to show**, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.\ ![In Snyk, the API Token section is displayed. There is a field labeled "Key," and inside the field there is text that says "Click to show." On the right, there is a red button labeled "Revoke and Regenerate."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FQFesgtajDzPt6km9aatV%2Fsnyk-api.png?alt=media\&token=73745408-66cf-44cb-860c-252775ac77b6) {% hint style="info" %} To set an API token to be read-only and unable to write to the platform, use a service account and set it to Group Viewer. For more information see [Snyk's Service accounts documentation](https://docs.snyk.io/enterprise-setup/service-accounts#set-up-a-group-or-organization-level-service-account). {% endhint %} ### Step 2: Create a new Snyk log source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New.** 3. Select **Snyk** from the list of available log sources. Click **Start Setup.** 4. On the next screen, enter in a descriptive name for the source e.g. `My Snyk logs`. 5. Click **Setup.** 6. On the **Set Credentials** page, fill in the form: * Enter in your Snyk's organization ID. * Paste the API token from your Snyk account into the API token field. 7. Click **Setup**. You will be directed to a success screen:

The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"

* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs). * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

{% hint style="warning" %} **Note:** By default, Snyk logs do not contain human-readable values for objects such as vaults and login credentials. Please [see our guide about using Lookup Tables](https://docs.panther.com/guides/using-lookup-tables-1password-uuids) to translate Universally Unique Identifier (UUID) values into human-readable names. {% endhint %} ## Supported log types {% hint style="info" %} Required fields in the schemas are listed as **"required: true"** just below the "name" field. {% endhint %} ### Snyk.GroupAudit Snyk.GroupAudit item usage. Reference: ```yaml schema: Snyk.GroupAudit parser: native: name: Snyk.GroupAudit description: Audit logs of your group. referenceURL: https://snyk.docs.apiary.io/#reference/audit-logs/get-group-level-audit-logs fields: - name: groupId description: The group id type: string - name: orgId required: true description: The organization id type: string - name: userId required: true description: The user id type: string indicators: - username - name: projectId description: The project id type: string - name: event required: true description: The event type type: string - name: created required: true description: The date and time of the event in rfc3339 standard format type: timestamp timeFormat: rfc3339 isEventTime: true - name: content description: The content relating to the event type: json ``` ### Snyk.OrgAudit Snyk.OrgAudit item usage. Reference: ```yaml schema: Snyk.OrgAudit parser: native: name: Snyk.OrgAudit description: Audit logs of your organization. referenceURL: https://snyk.docs.apiary.io/#reference/audit-logs/organization-level-audit-logs/get-organization-level-audit-logs fields: - name: groupId description: The group id type: string - name: orgId description: The organization id type: string - name: userId required: true description: The user id type: string indicators: - username - name: projectId description: The project id type: string - name: event required: true description: The event type type: string - name: created required: true description: The date and time of the event in rfc3339 standard format type: timestamp timeFormat: rfc3339 isEventTime: true - name: content description: The content relating to the event type: json ```