How Licensing Works

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Apr 19, 2019
Version 20Show Document
  • View in full screen mode

After you have installed the NetWitness Platform software and the required services, you need to acquire the relevant licenses for the each of the services or a group of services based on your requirements. NetWitness Platformentitlement uses a trust-based licensing model. Appliances continue to function as usual even when the license is out-of-compliance.

Choosing a License Type

The type of license you choose is based on your network requirements. The following types of licenses are available in RSA NetWitness Platform:

  • Throughput License
  • Appliance License
  • UEBA (User and Entity Behavior Analytics)
  • Endpoint License

Here is a chart, followed by a description of each license type available for the NetWitness Platform products and services.

Throughput Licenses

Throughput license are based on the amount of data used per day for logs (SIEM), or network packets (network monitoring) or malware.

The throughput per day are measured in Gigabytes per day for logs, and in Terabytes per day for packets. The total amount of throughput is selected based on the total amount of throughput per day that is being licensed across your entire enterprise deployment of NetWitness Platform. This license is measured as follows:

  • License usage is based on the amount of data throughput per day.
  • Throughput is measured in Gigabytes (GB) per day for Log Decoders, in Terabytes (TB) per day for Network Decoders, and in Terabytes (TB) per day for Malware Analysis.
  • Usage is measured as an aggregate of all throughput services. For example, a Log Decoder can be licensed for 50 GB per day. You can to use multiple Log Decoder under the same license.

  • Throughput license usage statistics are available in PNG or PDF formats for export.
  • Throughput licenses are offered as subscription of perpetual, are offered in 1 TB increments
  • SIEM or Log Decoder offered in 50 GB increments.
  • Malware Analysis throughput licenses are offered in 1 TB increments on a per-day average usage.
  • Only if the aggregate usage of licenses exceeds, then a corresponding banner is displayed. For example, if you have a two Log Decoder throughput license, and each Log Decoder is entitled for 50 GB, the total entitlement for that service is 100 GB. If one Log Decoder exceeds usage by 10GB, and the other does not exceed the entitled usage and the total usage limit does not exceed 100 GB, then no banner is displayed, as the aggregate usage is calculated. For more information, see Out-of-Compliance Banner.

Appliance Licenses

NetWitness Platform supports the Appliance license, which is applicable to all hosts that require a license. Other services do not require a license. Appliance licenses are measured as follows:

  • Services are licensed automatically if you have a valid appliance based license for a specific service to be licensed.
  • Appliance licenses can be purchased as a perpetual license that does not expire and will have a maintenance contract. If you purchase a subscription license, then it will expire if you do not renew the contract.

User and Entity Behavior Analytics Licenses

NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is based on the number active of users.

Endpoint Licenses

Endpoint license are measured based on the number of active agents deployed. It functions similar to throughput licenses used for NetWitness Logs and Network.

There are two types of agents:

  1. Advanced Agents: The license for these agents is based on the number of advanced agents in your deployment. A 90-days trail license period is provided. After the 90-days trial period , a zero MB and zero Agent throughput license is applicable to Log Decoder and Endpoint in the NetWitness Endpoint Log Hybrid. Archiver, Broker, Concentrator and ESA are automatically licensed because the license for advanced agents is a throughput license. An usage-exceeded banner is displayed when the license goes out-of-compliance in the following scenarios:
    1. If the allowed amount of entitled usage is exceeded
    2. If log data is collected without installing a valid log license.

For example, if you have purchased a license for 50k agents and if the number of agents exceeds more than 50k, the banner is displayed.

Or, if you have purchased a license for 50k agents but you have configured only 10k agents, and if the usage exceeds more than 10k, a banner is displayed only for those 10k configured active agents.

Note: In the case of multiple Endpoint Log Hybrids you may need an Endpoint Broker, which does not need a license.

  1. Insights Agents - There is no license required for these agents if they are used to collect only endpoint data. And if only insights agents are used, a banner will never be displayed .


NetWitness Endpoint 4.4.0.x License

If you have a NetWitness Endpoint 4.4.0.x license, you can use the same amount of license on NetWitness Platform 11.3. For example, if you have purchased a 50k license for NetWitness Endpoint 4.4.0.x, you will get a 50k license on NetWitness Endpoint 4.4.0.x as well as on NetWitness Platform 11.3. For more information on how to get alicense for NetWitness Endpoint 4.4.0.x, see License for NetWitness Endpoint 4.4.0.x Agents.

Out-of-the-Box Trial License

RSA NetWitness Platform comes with an OOTB 90-days trial license.

You are here
Table of Contents > License Types