Splunk + Azure RMS logs = Great insights!

First published on CloudBlogs on Feb 29, 2016

Once Azure Rights Management service is enabled for your organization, every Azure RMS workflow is tracked in the “usage logs” of the service. These logs can be downloaded from the Microsoft managed store to a repository of their choice (such as a database, an online analytical processing system, or a map-reduce system) for reporting and analysis.

Often times, customers have expressed a desire to integrate this functionality to their existing Operational Intelligence tools (such as Splunk). One of our partners, Keyon , recently delivered a Splunk app which enables customers to gain business and usage insights from the raw Azure RMS logs. Here’s our interview with Rene G. Eberhard, CEO of Keyon.

Dan: Hello Rene. Can you talk a little bit about Keyon and your role? Rene: Hi Dan and thank you. Keyon AG is a leading provider in Switzerland of solutions and services in the area of IT-security and custom software development. The company has been operating since 1999 and has a number of excellent references of strategic projects for the Swiss government and customers in the area of finance, insurance, trade, industry, and telecommunication. Keyon has, in addition to the above mentioned Splunk App for Azure RMS, also other products in its portfolio. Particularly noteworthy are the following products:

• true-Xtender: Comprehensive solution for the issuance and management of X.509 certificates for the Microsoft PKI
• true-Sign: Central service for electronic signatures which can be easily integrated on Windows Client-Systems and Workflow components such as Microsoft SharePoint.

I’m one of three founders of Keyon and as CEO also involved in strategic security projects of major customers. This gives me the chance to precisely understand the needs of our customers and to integrate them into our products or solutions. Dan: That’s great! Can you share some details about the Azure RMS Splunk app? Where can I download it from, how do I install it and what are the requirement? Rene: true-Xtended Reporting for Microsoft Azure RMS is a powerful solution to visualize Azure RMS events in Splunk®. It allows tracking user activities and usage trends, shows document and template usages, identifies potential data leakage, and much more in a powerful yet simple UI. The customer must use Azure RMS (which enables logging by default). In addition, he must have an instance of a Splunk server. true-Xtended Reporting for Microsoft Azure RMS is available as a freemium version.

• The free version can be downloaded from the Splunkbase or from the Keyon website . Import and processing of Azure RMS log files takes place exclusively via PowerShell scripts. There’s no need to install an application. There is also a step by step guidance in the Admin Manual
• The premium version can be ordered from Keyon (info@keyon.ch). It offers extended dashboards and correlates the RMS logs with other sources such as AD (Active Directory). That way RMS events can be correlated with organizational units, user attributes, locations or business cases. The import, processing, and correlation of Azure RMS log files takes place via the true-Xtended Data Engine application.

Dan: Do you have some sample reports which highlight the reporting capability? Rene: All the reports of the free version are described in the presentation which can be found on our website . The example below shows the trend-line of the user- and administrator activities over a given time range. In addition the trend-line can be shown based on specific RMS events (e.g. Decrypt, AcquireLicense, etc.). Another example shows the distribution of RMS templates being used and the distribution of applications and operating systems using Azure RMS. The free version offers the following dashboards

• User- and Administrative Activities based on RMS events
• Trend-line of user activities based on RMS events
• Total active users
• Distribution of successful and failed access requests to documents
• Number of denied access requests by users
• User activity reports
• Distribution of the usage of RMS templates
• Distribution of the operating systems using RMS
• Distribution of the applications using RMS

Dan: Can customers download this for free? Rene: Yes, the free version can be downloaded from the Splunkbase or from the Keyon website . To get an access code to our online demo you may send a request to info@keyon.ch Dan: If customers have further questions, how do they reach you? Is there a demo or documentation? Rene: A presentation which describes the dashboard and the Admin Manual can be found on our website . Any questions can be sent to info@keyon.ch . That awesome Rene. It was great partnering with you to build this solution and we highly encourage our customers to try out the Splunk integration using this plug in.