Skip to content

snyk: fix audit_logs event type filter#18929

Closed
efd6 wants to merge 1 commit intoelastic:mainfrom
efd6:18653-snyk
Closed

snyk: fix audit_logs event type filter#18929
efd6 wants to merge 1 commit intoelastic:mainfrom
efd6:18653-snyk

Conversation

@efd6
Copy link
Copy Markdown
Contributor

@efd6 efd6 commented May 11, 2026
edited
Loading

`<!-- Type of change
Please label this PR with one of the following labels, depending on the scope of your change:

  • Bug
  • Enhancement
  • Breaking change
  • Deprecation
    -->

Proposed commit message

snyk: fix audit_logs event type filter

The Handlebars template stores the user's event filter config as
state.event_filter, but the CEL program read state.events_filter
(note the extra 's'). The optional field access returned none,
so the "events" query parameter was never included in the API
request, so event filtering was silently ignored.

Additionally, format_query() on a list produces repeated keys
(events=a&events=b). The Snyk API documents the parameter as a
comma-separated list, so the fix joins the list into a single
value (events=a,b).

Snyk's OpenAPI spec names the parameter "event" (singular), but
live testing confirms the API only honours "events" (plural) —
"event" is silently ignored. The migration guide also documents
the plural form:
https://docs.snyk.io/snyk-api/api-end-of-life-eol-process-and-migration-guides/guides-to-migration/search-audit-logs-group-and-org-v1-api-to-ga-rest-audit-logs-api-migration-guide

Tested against a live Snyk org endpoint with mito, confirming
the filter now correctly narrows results.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this May 11, 2026
@efd6 efd6 added Integration:snyk Snyk bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 11, 2026
@efd6
snyk: fix audit_logs event type filter
ba002b1 
The Handlebars template stores the user's event filter config as
state.event_filter, but the CEL program read state.events_filter
(note the extra 's'). The optional field access returned none,
so the "events" query parameter was never included in the API
request, so event filtering was silently ignored.

Additionally, format_query() on a list produces repeated keys
(events=a&events=b). The Snyk API documents the parameter as a
comma-separated list, so the fix joins the list into a single
value (events=a,b).

Snyk's OpenAPI spec names the parameter "event" (singular), but
live testing confirms the API only honours "events" (plural) —
"event" is silently ignored. The migration guide also documents
the plural form:
https://docs.snyk.io/snyk-api/api-end-of-life-eol-process-and-migration-guides/guides-to-migration/search-audit-logs-group-and-org-v1-api-to-ga-rest-audit-logs-api-migration-guide

Tested against a live Snyk org endpoint with mito, confirming
the filter now correctly narrows results.
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 11, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 11, 2026

💚 Build Succeeded

cc @efd6

@efd6 efd6 marked this pull request as ready for review May 11, 2026 04:25
@efd6 efd6 requested a review from a team as a code owner May 11, 2026 04:25
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 11, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 mentioned this pull request May 11, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@efd6 efd6

Labels

bugfix Pull request that fixes a bug issue Integration:snyk Snyk Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bug-hunter] Snyk audit_logs event filter is ignored due to state key mismatch

2 participants

@efd6 @elasticmachine