Using Skytap Webhooks with Microsoft Azure

The Skytap webhook service is a powerful feature, yet on first glance can be a bit intimidating. A webhook is a method used for one application to talk to another. In our case, the Skytap webhook service can send audit data and usage data to other applications. For example, suppose you want to be notified on run state changes for specific environments or you want to be notified on failed logins; you can use webhooks to address these as well as other needs. This article provides a sample implementation using Microsoft Azure services to receive, process, report, and alert on webhook data.

To act on webhook data I will use a few native Azure services and use Azure Log Analytics as the foundation. This is where the webhook data is stored and can be queried, used for alerting, and surfaced on dashboards. An Azure Function is used to receive the webhook data and write it to a Log Analytics workspace. Lastly, an Azure Dashboard is used to provide a visual representation of the webhook data.

Here is an illustration of the flow of data:

Azure Log Analytics

The Azure documentation provides details on creating a new Log Analytics workspace. You can find more information here: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs. The HTTP Data Collector API is used to post the webhook data from the Azure Function to the log workspace. The data goes into a custom log table for each audit and usage data. This Azure help article provides the details on using the HTTP Data Collector API including sample code: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api

Azure Function

Skytap webhooks send data formatted as JSON. You can create separate Azure functions to receive and process audit and usage data respectively or you can create a single Azure Function to receive both and send each to their respective table in Log Analytics. If you create a single function, you will need to interrogate the webhook data to determine if it is audit or usage data and then send it to the right log table. Use the “category” attribute to determine which type of data you are dealing with (“category”: “auditing” or “category”: “usage”), and then send the data to the appropriate log table. Writing, testing, and deploying an Azure function is beyond the scope of this blog article. The Azure documentation does a good job explaining how to do this and using Visual Studio to write and deploy your webhook keeps things simple.

The sample code in the Azure documentation for using the HTTP Data Collector API is a good starting point. The Azure function can be broken down into the following sections described below: constants, main function, and posting data. For simplicity I removed all error handling and logging information. You will want to be sure to include this in your version.

Constants

Here you will include the required authentication information (customer id and shared key) for accessing your instance of Log Analytics. You also will want to set the name for each log table to use. For example, I named mine SkytapMySkytapAccountAudit and SkytapMySkytapAccountUsage, where I replaced MySkytapAccount with the name of the Skytap account that is pushing data to this end point. This keeps things nice and neat, and allows me to trace back to the source of the data.

Main Function

In this section I set the timestamp field for the record, parse the JSON to determine if I have Audit or Usage data and set the log table, build the API signature, and then pass it to the post method.

Posting Data

In this method, the request headers are created and the webhook data is posted to the data collector end point.

Querying Log Data

The Kusto Query Language (KQL) is the query language used to query the logs. The webhook data will be saved in custom log tables, meaning you will need to write your own queries for retrieving and reporting on the data. For more information on the Log Analytics workspace and KQL, refer to the Azure Help documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview

Querying Audit data is straight forward. You will want to explore the JSON to identify what events and attributes you care about.

Querying usage data is a bit more complex as the usage data is timeseries data. An event is created each time something changes state; for example, each time an environment is created, started, stopped, and deleted. Here is a sample KQL for reporting on storage usage across all regions. The KQL also converts the region name to a friendly name.

Here is a chart produced by the KQL followed by the query.

SkytapPacRetailUsage_CL | where TimeGenerated > ago(30d) | extend id_ = toint(parse_json(payload_s)[0].id) | extend type_ = tostring(parse_json(payload_s)[0].type) | extend region_ = tostring(parse_json(payload_s)[0].region) | extend start_time_arr = extract_all(@"([0-9]{4})\/([0-9]{2})\/([0-9]{2})\s([0-9]{2}):([0-9]{2}):([0-9]{2})", tostring(parse_json(payload_s)[0].start_time)) | extend start_time_ = make_datetime(toint(start_time_arr[0][0]), toint(start_time_arr[0][1]), toint(start_time_arr[0][2]), toint(start_time_arr[0][3]), toint(start_time_arr[0][4]), toint(start_time_arr[0][5])) | extend end_time_arr = extract_all(@"([0-9]{4})\/([0-9]{2})\/([0-9]{2})\s([0-9]{2}):([0-9]{2}):([0-9]{2})", tostring(parse_json(payload_s)[0].end_time)) | extend end_time_ = coalesce(make_datetime(toint(end_time_arr[0][0]), toint(end_time_arr[0][1]), toint(end_time_arr[0][2]), toint(end_time_arr[0][3]), toint(end_time_arr[0][4]), toint(end_time_arr[0][5])), now()) | extend value_ = toint(parse_json(payload_s)[0].value) | extend TypeNew_ = case(type_ == 'svms', "x86 Metered RAM", type_ == 'svms_power', "Power Metered RAM", "storage") | extend FriendlyRegion_ = case(region_ == 'prod/amm1r1', 'NL-Amsterdam-M-1', region_ == 'prod/dal1r1', 'US-Central', region_ == 'prod/fri1r1', 'DE-Frankfurt-I-1', region_ == 'prod/lon1r1', 'EMEA', region_ == 'prod/sgm1r1', 'SG-Singapore-M-1', region_ == 'prod/slg1r1', 'US-East', region_ == 'prod/syi1r1', 'AU-Sydney-I-1', region_ == 'prod/tor1r1', 'CAN-Toronto', region_ == 'prod/tuk1r1', 'US-West', region_ == 'prod/vam1r1', 'US-Virginia-M-1', region_ == 'prod/wbd1r1', 'US-East-2', region_ == 'prod/txm1r1', 'US-Texas-M-1', region_) | extend region_type_ = strcat(TypeNew_, '/', FriendlyRegion_) | where type_ == 'storage_size' | summarize arg_max(TimeGenerated, *) by id_ | mv-expand samples = range(bin(start_time_, 1d), end_time_ , 1d) | summarize usage = sum(value_) by bin(todatetime(samples),1d), region_type_ | where samples > ago(30d)

Once the data is flowing from Skytap to your Log Analytics workspace you can create charts for your Azure Dashboard and setup alters.

Notifications

Alerting is a power capability of Log Analytics. You will want to think about which types of conditions you care about most and build alerts for these. You can create custom alerts which fire based on certain conditions. Alerts can generate email or an SMS text message. For example, I created this alert to email each time a failed login attempt is detected. Here is the KQL to capture this condition.

SkytapPacRetailAudit_CL | extend type_code_ = tostring(parse_json(payload_s)[0].type_code) | where type_code_ == "FailedUserLoginHistory"

Dashboards

Each query you create can be added to an Azure Dashboard, and you can include the data in a table format or as a chart. Below is a snippet of a dashboard I created to track logins, environment creation, delete, and run operations. You can also add usage charts to your dashboard.

Skytap Webhooks

Webhooks are disabled by default. Once you have deployed your Azure function you will need to enable each Skytap webhook to post data to your Azure function or functions. These help topics guide you through enabling and configuring the webhooks: enabling and configuring auditing and usage data webhooks in the Skytap Help documentation. When you configure the Azure Function you’ll have the option of using the default Azure certificate or deploying your own.

Configure Skytap to call the Azure Function:

Get the URL for the Function
- This will look like https://[FunctionAppName].azurewebsites.net
Append the FunctionName to create the fully qualified URL
- This will look like https:// [FunctionAppName].azurewebsites.net/api/[FunctionName]
In the Skytap portal navigate to Account Settings
Enable the webhook and post the fully qualified URL in the webhook address field.
You will need to create a certificate specific to your Azure Function or use the built-in certificate. To retrieve the certificate you can use the following command:
- openssl s_client -showcerts -connect {webhookserver}:{port} </dev/null 2>/dev/null | openssl x509 -outform PEM

Summary

Skytap tracks and logs over 200 audit events, and we are constantly adding more. Integrating Skytap Webhooks with Azure Log Analytics creates a power tool to report, monitor, and alert on your Skytap usage. If you are using Skytap on Azure, Skytap on IBM Cloud, or both, you can be alerted if someone unlocks a critical environment, changes an important account setting, or adds a public IP address to a VM. Constant monitoring and alerting are key to successfully running applications in the cloud.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-preferences	1 year	This cookie is set by the GDPR Cookie Consent plugin to check if the user has given consent to use cookies under the "Preferences" category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
55d66ab20f0ad28a_cfid	2 years	Set by ChatFunnels to store chat sessions
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
sc_anonymous_id	9 years	Cookie is placed by SoundCloud to provide functions across pages.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc		The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle the request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.
_gat_UA-4086838-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
YSC		This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gcl_au	2 months	This cookie is placed by Google Tag Manager to place and track conversions.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_uv_id	2 years	Slideshare: Collects data on the user's visits to the website, such as which pages have been read.
browser_id	5 years	This cookie is used for identifying the visitor browser on re-visit to the website.
bscookie	2 years	This cookie is placed by Linkedin to store performed actions on the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
li_sugr	2 months	This cookie is placed by Linkedin to store browser details.
lissc	1 year	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
MR	1 week	This cookie is used to measure the use of the website for analytics purposes.
pardot		The cookie is set when the visitor is logged in as a Pardot user.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.
vuid	2 years	Vimeo

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
SRM_B	1 year	Bing.com
SRM_I	1 year	Bing.com
u	2 months	Collects data on user visits to the website, such as what pages have been accessed. The registered data is used to categorize the user's interest and demographic profiles in terms of resales for targeted marketing
uid	1 year	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
UserMatchHistory	1 month	This cookie is place by Linkedin to enable ad delivery or retargeting.
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Using Skytap Webhooks with Microsoft Azure

Join our email list for news, product updates, and more.

Product

Company

Help

Cookie	Duration	Description
_clck	1 year	No description
_clsk	1 day	No description
AnalyticsSyncHistory	1 month	No description
CLID	1 year	No description
ingrammicro.com	1 hour	No description
li_gc	2 years	No description
loglevel	never	No description available.
original_req_url	past	No description
visitor_id869971	10 years	No description
visitor_id869971-hash	10 years	No description