Snyk Logs

Panther supports pulling logs directly from Snyk

Overview

Panther has the ability to fetch Snyk audit logs by querying the Snyk Audit API. Panther is specifically monitoring the following Snyk events:

  • User logged in and out of Snyk

  • User's role was changed in Snyk

  • License policy was modified and by whom

  • Service account was created or deleted.

Note that a latency of up to 24 hours is possible due to Snyk Audit and Group log pagination. To avoid duplicate or lost data, Panther pulls Snyk logs once a day.

How to onboard Snyk logs to Panther

Prerequisites

Step 1: Generate an API token in Snyk

  1. Go to Account Settings > General.

  2. Locate the "Auth Token" section. In the KEY field, click click to show, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.

To set an API token to be read-only and unable to write to the platform, use a service account and set it to Group Viewer. For more information see Snyk's Service accounts documentation.

Step 2: Create a new Snyk log source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Select Snyk from the list of available log sources. Click Start Setup.

  4. On the next screen, enter in a descriptive name for the source e.g. My Snyk logs.

  5. Click Setup.

  6. On the Set Credentials page, fill in the form:

    • Enter in your Snyk's organization ID.

    • Paste the API token from your Snyk account into the API token field.

  7. Click Setup. You will be directed to a success screen:

    The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

      The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

Supported log types

Required fields in the schemas are listed as "required: true" just below the "name" field.

Snyk.GroupAudit

Snyk.GroupAudit item usage.

Reference: https://snyk.docs.apiary.io/#reference/audit-logs

schema: Snyk.GroupAudit
parser:
  native:
    name: Snyk.GroupAudit
description: Audit logs of your group.
referenceURL: https://snyk.docs.apiary.io/#reference/audit-logs/get-group-level-audit-logs
fields:
  - name: groupId
    description: The group id
    type: string
  - name: orgId
    required: true
    description: The organization id
    type: string
  - name: userId
    required: true
    description: The user id
    type: string
    indicators:
      - username
  - name: projectId
    description: The project id
    type: string
  - name: event
    required: true
    description: The event type
    type: string
  - name: created
    required: true
    description: The date and time of the event in rfc3339 standard format
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: content
    description: The content relating to the event
    type: json

Snyk.OrgAudit

Snyk.OrgAudit item usage.

Reference: https://snyk.docs.apiary.io/#reference/audit-logs

schema: Snyk.OrgAudit
parser:
  native:
    name: Snyk.OrgAudit
description: Audit logs of your organization.
referenceURL: https://snyk.docs.apiary.io/#reference/audit-logs/organization-level-audit-logs/get-organization-level-audit-logs
fields:
  - name: groupId
    description: The group id
    type: string
  - name: orgId
    description: The organization id
    type: string
  - name: userId
    required: true
    description: The user id
    type: string
    indicators:
      - username
  - name: projectId
    description: The project id
    type: string
  - name: event
    required: true
    description: The event type
    type: string
  - name: created
    required: true
    description: The date and time of the event in rfc3339 standard format
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: content
    description: The content relating to the event
    type: json

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated