How do I resolve "Source Snyk did not pass configuration check" when onboarding Snyk logs to Panther?

Issue

When trying to onboard Snyk logs to Panther, one of the following errors occur:

Source Snyk did not pass configuration check because: org-id provided is not scoped to api-token

Source Snyk did not pass configuration check because: snyk api token does not have required permissions to read group audit logs

Source Snyk did not pass configuration check because: snyk api token does not have required permissions to read group audit logs

Source your-snyk-source did not pass configuration check because: snyk api token does not have required permissions to read group audit logs

Resolution

To resolve this issue:

• Ensure that you create a Snyk Group level service account and select the Group Admin role.

  

• In Panther, ensure that you enter your Snyk Organization Id. This can be found in your Snyk settings shown below:

  

• To onboard a second Organization in Panther, you need to create two log sources, one for each Organization Id. In the configuration of the second source, select only SnykOrgAuditto avoid ingesting Group logs twice.

Optional:

• If you only want to onboard Organization logs and exclude Group logs, you can create a service account either in the Group settings or directly from the Organization settings. However, you will need to remove the SnykGroupAudit log types from the log source during onboarding, as the Organization service account only has access to the Organization audit logs, not the Group logs.

  

Cause

This issue occurs when your Snyk account is misconfigured:

• A Snyk account consists of one Group, and within each Group, there can be multiple organizations. However, Group audit logs do not include Organization audit logs. Panther uses different Snyk API endpoints to retrieve Group and Organization audit logs.

• The Group Viewer role does not have sufficient permissions to view the Organization audit logs.