› ›

Snyk module

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This is a module for ingesting data from the different Snyk API Endpoints. Currently supports these filesets:

vulnerabilities fileset: Collects all found vulnerabilities for the related organizations and projects
audit fileset: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.

When you run the module, it performs a few tasks under the hood:

Sets the default paths to the log files (but don’t worry, you can override the defaults)
Makes sure each multiline log event gets sent as a single event
Uses an Elasticsearch ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Read the quick start to learn how to configure and run modules.

Configure the module

edit

You can further refine the behavior of the snyk module by specifying variable settings in the modules.d/snyk.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings

edit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the snyk module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, snyk.audit.var.paths instead of audit.var.paths.

`audit` fileset settings

edit

To configure access for Filebeat to the Snyk Audit Log API you will have to generate an API access token as described in the Snyk Documentation

Example config:

- module: snyk
  audit:
    var.input: httpjson
    var.audit_type: organization
    var.audit_id: 1235432-asdfdf-2341234-asdgjhg
    var.interval: 1h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342

There is also multiple optional configuration options that can be used to filter out unwanted content, an example below:

- module: snyk
  audit:
    var.input: httpjson
    var.audit_type: organization
    var.audit_id: 1235432-asdfdf-2341234-asdgjhg
    var.interval: 1h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
    var.email_address: "test@example.com"

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.first_interval: How far to look back the first time the module starts, this supports values in full days (24h, 48h etc).
var.audit_type: What audit type to collect, can be either "group" or "organization".
var.audit_id: The ID related to the audit_type. If audit type is group, then this value should be the group ID, or if it is organization it should be the organization ID to collect from.
var.api_token: The API token that is created for a specific user, found in the Snyk management dashboard.
var.project_id: Optional field for filtering, will return only logs for this specific project.
var.user_id: Optional field for filtering, user public ID. Will fetch only audit logs originated from this user’s actions.
var.event: Optional field for filtering, will return only logs for this specific event.
var.email_address: Optional field for filtering, User email address. Will fetch only audit logs originated from this user’s actions.

Snyk Audit Log ECS Fields

edit

This is a list of Snyk Audit Log fields that are mapped to ECS.

Snyk Audit log fields	ECS Fields
groupId	user.group.id
userId	user.id
event	event.action
created	@timestamp

`vulnerabilities` fileset settings

edit

To configure access for Filebeat to the Snyk Vulnerabilities API you will have to generate an API access token as described in the Snyk Documentation

Example config:

- module: snyk
  vulnerabilities:
    var.input: httpjson
    var.interval: 24h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
    var.orgs:
      - 12354-asdfdf-123543-asdsdfg
      - 76554-jhggfd-654342-hgrfasd

There is also multiple optional configuration options that can be used to filter out unwanted content, an example below:

- module: snyk
  vulnerabilities:
    var.input: httpjson
    var.interval: 24h
    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
    var.orgs:
      - 12354-asdfdf-123543-asdsdfg
      - 76554-jhggfd-654342-hgrfasd
    var.included_severity:
      - medium
      - high
    var.types:
      - vuln

var.paths: An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.first_interval: How far to look back the first time the module starts, this supports values in full days (24h, 48h etc).
var.api_token: The API token that is created for a specific user, found in the Snyk management dashboard.
var.orgs: The list of org IDs to filter the results by. One organization ID per line, starting with a - sign
var.included_severity: Optional list of fields for filtering, the severity levels of issues to filter the results by.
var.exploit_maturit: Optional list of fields for filtering, the exploit maturity levels of issues to filter the results by.
var.types: Optional list of fields for filtering, the type of issues to filter the results by.
var.languages: Optional list of fields for filtering, the type of languages to filter the results by.
var.identifier: Optional field for filtering, search term to filter issue name by, or an exact CVE or CWE.
var.ignored: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.patched: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.fixable: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.is_fixed: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.is_patchable: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.is_pinnable: Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
var.min_priority_score: Optional field for filtering, The minimum priority score ranging between 0-1000
var.max_priority_score: Optional field for filtering, The maximum priority score ranging between 0-1000

Snyk Audit Log ECS Fields

edit

This is a list of Snyk Vulnerability fields that are mapped to ECS.

Fields

edit

For a description of each field in the module, see the exported fields section.

« Santa module Sophos module »

Snyk module

Snyk module

Configure the module

Variable settings

audit fileset settings

Snyk Audit Log ECS Fields

vulnerabilities fileset settings

Snyk Audit Log ECS Fields

Fields

`audit` fileset settings

`vulnerabilities` fileset settings