After you have installed the NetWitness Platform software and the required services, you need to acquire the relevant licenses for the each of the services or a group of services based on your requirements. NetWitness Platformentitlement uses a trust-based licensing model. Appliances continue to function as usual even when the license is out-of-compliance.
Choosing a License Type
The type of license you choose is based on your network requirements. The following types of licenses are available in RSA NetWitness Platform:
- Throughput License
- Appliance License
- UEBA (User and Entity Behavior Analytics)
- Endpoint License
Here is a chart, followed by a description of each license type available for the NetWitness Platform products and services.
Throughput license are based on the amount of data used per day for logs (SIEM), or network packets (network monitoring) or malware.
The throughput per day are measured in Gigabytes per day for logs, and in Terabytes per day for packets. The total amount of throughput is selected based on the total amount of throughput per day that is being licensed across your entire enterprise deployment of NetWitness Platform. This license is measured as follows:
- License usage is based on the amount of data throughput per day.
- Throughput is measured in Gigabytes (GB) per day for Log Decoders, in Terabytes (TB) per day for Network Decoders, and in Terabytes (TB) per day for Malware Analysis.
Usage is measured as an aggregate of all throughput services. For example, a Log Decoder can be licensed for 50 GB per day. You can to use multiple Log Decoder under the same license.
- Throughput license usage statistics are available in PNG or PDF formats for export.
- Throughput licenses are offered as subscription of perpetual, are offered in 1 TB increments
- SIEM or Log Decoder offered in 50 GB increments.
- Malware Analysis throughput licenses are offered in 1 TB increments on a per-day average usage.
- Only if the aggregate usage of licenses exceeds, then a corresponding banner is displayed. For example, if you have a two Log Decoder throughput license, and each Log Decoder is entitled for 50 GB, the total entitlement for that service is 100 GB. If one Log Decoder exceeds usage by 10GB, and the other does not exceed the entitled usage and the total usage limit does not exceed 100 GB, then no banner is displayed, as the aggregate usage is calculated. For more information, see Out-of-Compliance Banner.
NetWitness Platform supports the Appliance license, which is applicable to all hosts that require a license. Other services do not require a license. Appliance licenses are measured as follows:
- Services are licensed automatically if you have a valid appliance based license for a specific service to be licensed.
- Appliance licenses can be purchased as a perpetual license that does not expire and will have a maintenance contract. If you purchase a subscription license, then it will expire if you do not renew the contract.
User and Entity Behavior Analytics Licenses
NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is based on the number active of users.
Endpoint license are entitled based on the number of active agents deployed.
There are two types of Endpoint agents:
- Advanced Agents: The license for these agents is based on the number of advanced agents in your deployment. A 90-days trail license period is provided. After the 90-days trial period, a zero MB and zero Agent license is applied to the Log Decoder service and Endpoint service in the NetWitness Endpoint Log Hybrid. Once an Endpoint license is applied any Archivers, Brokers, Concentrators, and ESA are automatically licensed as a result. An usage exceeded banner is displayed when the license goes out-of-compliance in the following scenarios:
If the number of active agents exceeds the number of licensed agents.
An Endpoint Subscription is about to expire in immediate future or has expired.
For example, if you have purchased a license for 50k agents and if the number of agents exceeds more than 50k, the banner is displayed.
Or, if you have purchased a license for 50k agents but have mapped the entitlements for only 10k agents on myRSA, an out-of-compliance banner is displayed when your usage exceeds these 10k active agents.
- Insights Agents - There is no license required for these agents if they are used to collect only endpoint data.
Both Advanced and Insights Agents also have the ability to forward Windows Log data. This feature does require the logs to be sent to a licensed Log Decoder (or Hybrid) and will count against either the applied Throughput or Appliance license. Logs may also be retained in the NetWitness Endpoint Log Hybrid though in this case a Throughput license for Logs is required regardless of which Agent is being used.
- Log Collection with Endpoint Agents - All Endpoint agents (Advanced or Insights) can forward Windows Log data only to a licensed Log Decoder (or Hybrid). Windows Logs sent to a licensed Log Decoder (or Hybrid) will count against either the applied Throughput or Appliance license. Logs may
be retained in the NetWitness Endpoint Log Hybrid as long as a Log (SIEM) Throughput license with available capacity is available. In either case, a license for Logs is required, irrespective of the Insights or Advanced agent.
NetWitness Endpoint 4.4.0.x License
If you have a NetWitness Endpoint 4.4.0.x license, you can use the same amount of license on NetWitness Platform 11.3. For example, if you have purchased a 50k license for NetWitness Endpoint 4.4.0.x, you will get a 50k license on NetWitness Endpoint 4.4.0.x as well as on NetWitness Platform 11.3. For more information on how to get alicense for NetWitness Endpoint 4.4.0.x, see License for NetWitness Endpoint 4.4.0.x Agents.
Out-of-the-Box Trial License
RSA NetWitness Platform comes with an OOTB 90-days trial license.
Table of Contents > License Types