Skip to content

snyk: fix audit_logs event type filter being silently ignored#18902

Merged
kcreddy merged 4 commits intoelastic:mainfrom
kcreddy:snyk-fix-events_filter
May 11, 2026
Merged

snyk: fix audit_logs event type filter being silently ignored#18902
kcreddy merged 4 commits intoelastic:mainfrom
kcreddy:snyk-fix-events_filter

Conversation

@kcreddy
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy commented May 8, 2026
edited
Loading

Proposed commit message

snyk: fix audit_logs event type filter

The Handlebars template stores the user's event filter config as
state.event_filter, but the CEL program read state.events_filter
(note the extra 's'). The optional field access returned none,
so the "events" query parameter was never included in the API
request, so event filtering was silently ignored.

Additionally, format_query() on a list produces repeated keys
(events=a&events=b). The Snyk API documents the parameter as a
comma-separated list, so the fix joins the list into a single
value (events=a,b).

Snyk's OpenAPI spec names the parameter "event" (singular), but
live testing confirms the API only honours "events" (plural) —
"event" is silently ignored. The migration guide also documents
the plural form:
https://docs.snyk.io/snyk-api/api-end-of-life-eol-process-and-migration-guides/guides-to-migration/search-audit-logs-group-and-org-v1-api-to-ga-rest-audit-logs-api-migration-guide

Tested against a live Snyk org endpoint with mito, confirming
the filter now correctly narrows results.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Newly added system tests (with event option) passes:

--- Test results for package: snyk - START ---
╭─────────┬─────────────┬───────────┬──────────────┬────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME    │ RESULT │  TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────┼────────┼───────────────┤
│ snyk    │ audit_logs  │ system    │ event-filter │ PASS   │ 46.624782375s │
╰─────────┴─────────────┴───────────┴──────────────┴────────┴───────────────╯
--- Test results for package: snyk - END   ---
Done

Related issues

kcreddy added 2 commits May 8, 2026 20:06
@kcreddy
snyk: fix audit_logs event type filter being silently ignored
9e1d588 
The CEL program reads state.events_filter (plural) but the state
template stores the configured event types under event_filter
(singular). The key mismatch means the filter is never applied and
all event types are collected regardless of user configuration. The problem was introduced in elastic#10073

Fix the CEL query parameter reference to use the correct key.

Fixes elastic#18653
@kcreddy
Add system test
c486df9
@kcreddy kcreddy self-assigned this May 8, 2026
@kcreddy kcreddy added Integration:snyk Snyk bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 8, 2026
@kcreddy kcreddy marked this pull request as ready for review May 8, 2026 14:43
@kcreddy kcreddy requested a review from a team as a code owner May 8, 2026 14:43
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 8, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 8, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 mentioned this pull request May 11, 2026
Closed
5 tasks
efd6
efd6 reviewed May 11, 2026
View reviewed changes
Comment thread packages/snyk/data_stream/audit_logs/agent/stream/cel.yml.hbs Outdated
:
optional.none(),
?"events": state.?events_filter,
?"events": state.?event_filter,
Copy link
Copy Markdown
Contributor

@efd6 efd6 May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you take the change from here? You have a test which I don't so let's use your PR. You can grab text from the commit message if you want.

(I did not see that you had sent this.)

Copy link
Copy Markdown
Contributor Author

@kcreddy kcreddy May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 26e7f64 and updated commit message accordingly. Thanks!

efd6
efd6 approved these changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 11, 2026

💚 Build Succeeded

History

cc @kcreddy

@kcreddy kcreddy merged commit c67ca76 into elastic:main May 11, 2026
9 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 11, 2026

Package snyk - 3.4.3 containing this change is available at https://epr.elastic.co/package/snyk/3.4.3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@kcreddy kcreddy

Labels

bugfix Pull request that fixes a bug issue Integration:snyk Snyk Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bug-hunter] Snyk audit_logs event filter is ignored due to state key mismatch

3 participants

@kcreddy @elasticmachine @efd6