License Types

After you have installed the NetWitness software and the required services, you need to acquire the relevant licenses for the each of the services or a group of services based on your requirements. NetWitnessentitlement uses a trust-based licensing model. Appliances continue to function as usual even when the license is out-of-compliance.

Choosing a License Type

The type of license you choose is based on your network requirements. The following types of licenses are available in RSA NetWitness:

  • Throughput License
  • Appliance License
  • UEBA (User and Entity Behavior Analytics)
  • Endpoint License

Here is a chart, followed by a description of each license type available for the NetWitness Platform products and services.


Throughput Licenses

Throughput license are based on the amount of data used per day for logs (SIEM), or network (packets) or malware.

The throughput per day is measured in Gigabytes per day for logs, and in Terabytes per day for packets. The total amount of throughput is selected based on the total amount of throughput per day that is being licensed across your entire enterprise deployment of NetWitness Platform. This license is measured as follows:

Service Unit of Measurement Increments License Duration
Network Decoder Terabytes (TB) per day 1 TB Subscription or perpetual
Log Decoder Gigabytes (GB) per day 50 GB Subscription or perpetual
Malware Terabytes (TB) per day of Files Analyzed by Malware Analysis 1 TB Subscription or perpetual

Note: In version 11.5 and later, NetWitness Platform introduced Network Meta-Only license in addition to the Network Full Packet license.

Network Full Packet License captures, analyzes, and stores packet payloads and metadata and allows users to retain the packet payload for analysis or for session reconstruction. Network Full Packet License measures the bytes analyzed and the bytes written to the disk for Network Packets.

Network Meta-Only License captures and analyzes packet payloads and discards the packet payload data after analysis. Using this license, NetWitness Platform can be deployed in an environment where full packet capture is not required. This helps to optimally manage the storage space, and easily detect threats without the need to retain the full payload of the sessions. Network Meta-Only License measures the bytes analyzed for Network Packets and can be used with or without the Network Full Packet License.

When customers have both - Network Meta-Only License and Network Full Packet Licenses, the entitlement is aggregated and measured against the bytes analyzed for Network Packets. However, the entitlement for bytes written to disk for Network Packets will continue to be measured against the Network Full Packet Licenses. The following table is an example of how the license is used and analyzed.

Available Licenses Network Full Packet License Network Meta-Only License Network Packet Bytes Analyzed Network Packet Bytes Written to Disk
10TB of Network Full Packet 10TB 0TB


10TB of Network Meta-Only 0TB 10TB 10TB 0TB
10TB of Network Full Packet
5TB of Network Meta-Only
10TB 5TB



5TB of Network Full Packet

10TB of Network Meta-Only

5TB 10TB 15TB 5TB

For more information on the status of your license, usage and out of compliance licenses, see About Out-of-Compliance Banners.

Appliance Licenses

The NetWitness Platform supports the Appliance license, which is applicable to all hosts that require a license. Other services do not require a license. Appliance licenses are measured as follows:

  • Services are licensed automatically if you have a valid appliance based license for a specific service to be licensed.
  • Appliance licenses can be purchased as a perpetual license that does not expire and will have a maintenance contract. If you purchase a subscription license, then it will expire if you do not renew the contract.

User and Entity Behavior Analytics Licenses

The NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). UEBA monitors the number of active users from the previous day and sends it to the licensing server. The entitlement is measured for logs and endpoint events for the number of active users and is checked against a user id. If a threshold is identified in a calendar month an appropriate banner is displayed. For more information on banners, see About Out-of-Compliance Banners.

Endpoint Licenses

Endpoint license are entitled based on the number of active agents deployed.

There are two types of agents:

  • Advanced Agents: The license for these agents is based on the number of advanced agents in your deployment. A 90-days trail license period is provided. After the 90-days trial period, a zero MB and zero Agent license is applied to the Log Decoder service and Endpoint service in the NetWitness Endpoint Log Hybrid. Once an Endpoint license is applied any Archivers, Brokers, Concentrators, and ESA are automatically licensed as a result. An usage exceeded banner is displayed when the license goes out-of-compliance in the following scenarios:

    1. If the number of active agents exceeds the number of licensed agents

    2. If the Endpoint Subscription is about to expire in near future or has already expired.

    For example, if you have purchased a license for 50,000 agents and if the number of agents exceeds more than 50,000, the banner is displayed.

    Or, if you have purchased a license for 50k agents but have mapped the entitlements for only 10k agents on myRSA, an out-of-compliance banner is displayed when your usage exceeds these 10k active agents.

  • Insights Agents - There is no license required for these agents if they are used to collect only endpoint data.
  • Log Collection with Endpoint Agents - All Endpoint agents (Advanced or Insights) can forward Windows Log data only to a licensed Log Decoder (or Hybrid). Windows Logs sent to a licensed Log Decoder (or Hybrid) will count against either the applied Throughput or Appliance license. Logs may be retained in the NetWitness Endpoint Log Hybrid as long as a Log (SIEM) Throughput license with available capacity is available. In either case, a license for Logs is required, irrespective of the Insights or Advanced agent.

NetWitness Endpoint 4.4.0.x License

If you have a NetWitness Endpoint 4.4.0.x license, you can use the same amount of license on NetWitness 11.6. For example, if you have purchased a 50,000 license for NetWitness Endpoint 4.4.0.x, you will get a 50,000 license on NetWitness Endpoint 4.4.0.x as well as on NetWitness 11.6. For more information on how to get a license for NetWitness Endpoint 4.4.0.x, see License for NetWitness Endpoint 4.4.0.x Agents.

Out-of-the-Box Trial License

NetWitness Platform comes with an OOTB 90-days trial license.

For Endpoint metered license, you will be provided with 0MB Log Decoder license. The 0MB license from the Log Decoder will be utilized after the 90-days trial period is complete. If you are still within the 90-days trial period and if you have an Endpoint Metered license, then the Log Decoder uses the remaining trial license. The Log Decoder will apply the 0MB license only after the trial license completed.