How Licensing Works

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 14Show Document
  • View in full screen mode

After you have installed the NetWitness Platform software and the required services, you need to acquire the relevant licenses for the each of the services or a group of services based on your requirements. RSA NetWitness Platform version 11.0 or later entitlement uses a trust-based licensing model. Appliances continue to function as usual even when the license is out-of-compliance.

Choosing a License Type

The type of license you choose is based on your network requirements. The following types of licenses are available in RSA NetWitness Platform 11.0 or later :

  • Throughput License
  • Appliance License
  • UEBA (User and Entity Behavior Analytics)

Here is a chart, followed by a description of each license type available for the NetWitness Platform products and services, which will enable you choose a suitable license.

Throughput License

Throughput license is based on amount of data used per day for logs (SIEM), or network packets (network monitoring) or malware.

The throughput per day is measured in Gigabytes per day for logs, in Terabytes per day for packets and as number of users. The total amount of throughput per day is selected based on the total amount of throughput per day that is being licensed across your entire enterprise deployment of NetWitness Platform.

Appliance License

NetWitness Platform supports the Appliance license, which is applicable to all hosts that require a license. You do not need to manually activate licensing for any services that are version 11.0 or later. Other services do not require a license.

Examine Decoder Service Usage Statistics in the Explore View

The Decoder has service usage statistics that can help you determine the best way to manage packet traffic, so that the Decoder is kept within the usage limits allowed by its license. These statistics are located in the /decoder/stats folder for each Decoder service, and you can see them in Administration > Explore view.

  • capture.netfilter.bytes: This statistic tracks the total size of packets that were filtered out due to matching network rules. Packets are only considered filtered at this stage if the network rule specifies that the packets will not be assembled into sessions.
  • capture.appfilter.bytes: This statistic tracks the total size of bytes removed from the packet stream due to application rule actions. Application rules may filter packet. If an application rule filters packets, the entire packet is dropped from the collection. If the packet is truncated, the packet payload as well as the header is stored. This statistics counts up how many bytes are dropped from entire packets.
  • capture.processed.bytes: This statistic is equal to the total bytes processed, minus any bytes counted in the capture.appfilter.bytes or capture.netfilter.bytes statistics.

User and Entity Behavior Analytics License

NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users.

Out-of-the-Box Trial License

RSA NetWitness Platform version 11.0 or later comes with an OOTB 90-days trial license .

In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.

License Measurement

Here is how the license usage is measured:

Throughout License Measurement

  • License usage is based on the amount of data throughput per day.
  • Throughput is measured in Gigabytes (GB) per day for Log Decoders, in Terabytes (TB) per day for Network Decoders, and in Terabytes (TB) per day for Malware Analysis.
  • Usage is measured as an aggregate of all throughput services. For example, a Log DecoderDecoder can be licensed for 50 GB per day. Customers are allowed to use multiple Log Decoderunder the same license.

  • Throughput license usage statistics are available in PNG or PDF formats for export.
  • Throughput licenses can be purchased as subscription of perpetual, such as Netmon or Network, or Decoder are offered in 1 TB increments
  • SIEM or Log Decoder offered in 50 GB increments
  • Malware Analysis offered in 1 TB increments on a per-day average usage.

Appliance License Measurement

  • Services are licensed automatically if you have a valid appliance based license for a specific service to be licensed.
  • Appliance license provides unlimited usage and expires based on the maintenance date or contract date of the license.

UEBA License Measurement

  • Number of active users per day in UEBA.

You are here
Table of Contents > License Types