License TypesLicense Types
After you have installed the NetWitness software and the required services, you need to acquire the relevant licenses for the each of the services or a group of services based on your requirements. NetWitnessentitlement uses a trust-based licensing model. Appliances continue to function as usual even when the license is out-of-compliance.
Choosing a License TypeChoosing a License Type
The type of license you choose is based on your network requirements. The following types of licenses are available in RSA NetWitness:
- Throughput License
- Appliance License
- UEBA (User and Entity Behavior Analytics)
- Endpoint License
Here is a chart, followed by a description of each license type available for the NetWitness Platform products and services.
Throughput LicensesThroughput Licenses
Throughput license are based on the amount of data used per day for logs (SIEM), or network (packets) or malware.
The throughput per day is measured in Gigabytes per day for logs, and in Terabytes per day for packets. The total amount of throughput is selected based on the total amount of throughput per day that is being licensed across your entire enterprise deployment of NetWitness Platform. This license is measured as follows:
|Service||Unit of Measurement||Increments||License Duration|
|Network Decoder||Terabytes (TB) per day||1 TB||Subscription or perpetual|
|Log Decoder||Gigabytes (GB) per day||50 GB||Subscription or perpetual|
|Malware||Terabytes (TB) per day of Files Analyzed by Malware Analysis||1 TB||Subscription or perpetual|
Note: In version 11.5 and later, NetWitness Platform introduced Network Meta-Only license in addition to the Network Full Packet license.
Network Full Packet License captures, analyzes, and stores packet payloads and metadata and allows users to retain the packet payload for analysis or for session reconstruction. Network Full Packet License measures the bytes analyzed and the bytes written to the disk for Network Packets.
Network Meta-Only License captures and analyzes packet payloads and discards the packet payload data after analysis. Using this license, NetWitness Platform can be deployed in an environment where full packet capture is not required. This helps to optimally manage the storage space, and easily detect threats without the need to retain the full payload of the sessions. Network Meta-Only License measures the bytes analyzed for Network Packets and can be used with or without the Network Full Packet License.
When customers have both - Network Meta-Only License and Network Full Packet Licenses, the entitlement is aggregated and measured against the bytes analyzed for Network Packets. However, the entitlement for bytes written to disk for Network Packets will continue to be measured against the Network Full Packet Licenses. The following table is an example of how the license is used and analyzed.
|Available Licenses||Network Full Packet License||Network Meta-Only License||Network Packet Bytes Analyzed||Network Packet Bytes Written to Disk|
|10TB of Network Full Packet||10TB||0TB||
|10TB of Network Meta-Only||0TB||10TB||10TB||0TB|
|10TB of Network Full Packet
5TB of Network Meta-Only
5TB of Network Full Packet
10TB of Network Meta-Only
For more information on the status of your license, usage and out of compliance licenses, see About Out-of-Compliance Banners.
Appliance LicensesAppliance Licenses
The NetWitness Platform supports the Appliance license, which is applicable to all hosts that require a license. Other services do not require a license. Appliance licenses are measured as follows:
- Services are licensed automatically if you have a valid appliance based license for a specific service to be licensed.
- Appliance licenses can be purchased as a perpetual license that does not expire and will have a maintenance contract. If you purchase a subscription license, then it will expire if you do not renew the contract.
User and Entity Behavior Analytics LicensesUser and Entity Behavior Analytics Licenses
The NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). UEBA monitors the number of active users from the previous day and sends it to the licensing server. The entitlement is measured for logs and endpoint events for the number of active users and is checked against a user id. If a threshold is identified in a calendar month an appropriate banner is displayed. For more information on banners, see About Out-of-Compliance Banners.
Endpoint LicensesEndpoint Licenses
Endpoint license are entitled based on the number of active agents deployed.
There are two types of agents:
Advanced Agents: The license for these agents is based on the number of advanced agents in your deployment. A 90-days trail license period is provided. After the 90-days trial period, a zero MB and zero Agent license is applied to the Log Decoder service and Endpoint service in the NetWitness Endpoint Log Hybrid. Once an Endpoint license is applied any Archivers, Brokers, Concentrators, and ESA are automatically licensed as a result. An usage exceeded banner is displayed when the license goes out-of-compliance in the following scenarios:
If the number of active agents exceeds the number of licensed agents
If the Endpoint Subscription is about to expire in near future or has already expired.
For example, if you have purchased a license for 50,000 agents and if the number of agents exceeds more than 50,000, the banner is displayed.
Or, if you have purchased a license for 50k agents but have mapped the entitlements for only 10k agents on myRSA, an out-of-compliance banner is displayed when your usage exceeds these 10k active agents.
- Insights Agents - There is no license required for these agents if they are used to collect only endpoint data.
Log Collection with Endpoint Agents - All Endpoint agents (Advanced or Insights) can forward Windows Log data only to a licensed Log Decoder (or Hybrid). Windows Logs sent to a licensed Log Decoder (or Hybrid) will count against either the applied Throughput or Appliance license. Logs may be retained in the NetWitness Endpoint Log Hybrid as long as a Log (SIEM) Throughput license with available capacity is available. In either case, a license for Logs is required, irrespective of the Insights or Advanced agent.
NetWitness Endpoint 4.4.0.x LicenseNetWitness Endpoint 4.4.0.x License
If you have a NetWitness Endpoint 4.4.0.x license, you can use the same amount of license on NetWitness 11.6. For example, if you have purchased a 50,000 license for NetWitness Endpoint 4.4.0.x, you will get a 50,000 license on NetWitness Endpoint 4.4.0.x as well as on NetWitness 11.6. For more information on how to get a license for NetWitness Endpoint 4.4.0.x, see License for NetWitness Endpoint 4.4.0.x Agents.
Out-of-the-Box Trial LicenseOut-of-the-Box Trial License
RSA NetWitness Platform comes with an OOTB 90-days trial license.
For Endpoint metered license, you will be provided with 0MB Log Decoder license. The 0MB license from the Log Decoder will be utilized after the 90-days trial period is complete. If you are still within the 90-days trial period and if you have an Endpoint Metered license, then the Log Decoder uses the remaining trial license. The Log Decoder will apply the 0MB license only after the trial license completed.