Snyk Logs
Panther supports pulling logs directly from Snyk
Last updated
Panther supports pulling logs directly from Snyk
Last updated
Panther has the ability to fetch Snyk audit logs by querying the Snyk Audit API. Panther is specifically monitoring the following Snyk events:
User logged in and out of Snyk
User's role was changed in Snyk
License policy was modified and by whom
Service account was created or deleted.
Note that a latency of up to 24 hours is possible due to Snyk Audit and Group log pagination. To avoid duplicate or lost data, Panther pulls Snyk logs once a day.
To use the Snyk API, you must first get your API token from Snyk. For more information on using Snyk's API, see the Snyk documentation: Authentication for API.
Log in to your Snyk account.
Go to Account Settings > General.
To set an API token to be read-only and unable to write to the platform, use a service account and set it to Group Viewer. For more information see Snyk's Service accounts documentation.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Select Snyk from the list of available log sources. Click Start Setup.
On the next screen, enter in a descriptive name for the source e.g. My Snyk logs
.
Click Setup.
On the Set Credentials page, fill in the form:
Enter in your Snyk's organization ID.
Paste the API token from your Snyk account into the API token field.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Note: By default, Snyk logs do not contain human-readable values for objects such as vaults and login credentials. Please see our guide about using Lookup Tables to translate Universally Unique Identifier (UUID) values into human-readable names.
Required fields in the schemas are listed as "required: true" just below the "name" field.
Snyk.GroupAudit item usage.
Reference: https://snyk.docs.apiary.io/#reference/audit-logs
Snyk.OrgAudit item usage.
Reference: https://snyk.docs.apiary.io/#reference/audit-logs
Locate the "Auth Token" section. In the KEY field, click click to show, then select and copy the value in that field. Store this in a secure location, as you will need it in the next steps.