Licensing Overview

This page provides an overview of Stellar Cyber's licensing, as well as details on how to use the tabs in the System | Administration | Licensing page to keep track of it. See the following sections for details:

• About Stellar Cyber Licenses

• Using the Licensing Page

• Using the Asset Usage Tab

• Using the Volume Usage Tab

Only users with Root scope can see and work with the tabs in the Licensing page.

About Stellar Cyber Licenses

Stellar Cyber services are provided using licenses. The fundamental license is a platform license for your organization that can be purchased using either a volume-based license or an asset-based usage license:

• Volume – The license allows you to ingest a specified amount of data per day.
• Assets – The license allows you a specified number of daily active assets.

Each of these licenses are applied across all tenants in your organization, regardless of their region.

Supplemental Licenses

In addition to the platform license, you also purchase the following supplemental licenses, depending on your needs:

• Security Sensor Licenses – Security Sensor licenses allow you to manage a specified number of active sensors, broken down by speed (100 MB and 1,000 MB). A Security Sensor can be either a Modular Sensor with Security features enabled in its profile (IDS and/or Malware Sandbox) or a Security device sensor.

• Support License – The Support license provides the following:

  • IDS signature updates

  • Threat intelligence updates

  • Access to the Malware Sandbox service

  • Sensor software updates

About License Compliance Notifications

Every day, Stellar Cyber runs a report on the previous day's license usage for your organization. Depending on the results, you may see different notification banners in the Stellar Cyber user interface. In addition, the account admin registered for your organization at the time of purchase receives an email each time there is a state change between the different compliance levels. Refer to Understanding License Compliance for details on the different compliance states, as well as tips you can use to stay in compliance.

Notification banners for license warnings and violations are visible only to users with Root scope and either the Super Admin or Platform Admin role assigned.

Using the Licensing Page

Users with Root scope can use the Licensing page to keep track of all aspects of license provisioning and usage across your organization and its tenants. The Licensing page contains the following tabs:

• License tab (described in this section)

• Asset Usage tab

• Volume Usage tab

The License tab appears when you first display the System | Administration | Licensing page. As illustrated below, it provides separate sections with a summary of the platform license's settings and status, Security Sensor license usage, and a History of all events related to changes in license status or usage.

License Summary

The License tab provides the following information for the Platform license:

• Organization Name – The name provided for your organization when you registered with Stellar Cyber.

• Organization ID – The internal ID assigned to your organization when you registered with Stellar Cyber.

• License Key – The license key assigned to your organization when you registered with Stellar Cyber.

• License Type – The type of license. In most cases, this will be Production, indicating a regular, paid license. Options also exist for Trial and QA.

  • License State – The state of compliance for your Platform license at the time of the daily license report for the previous day's activities. For both asset-based and volume-based licenses, can be any of the following:

    License State	Trigger	Result
    In Compliance	Activity is within license limits	Good vibes.
    Warning	License limit has been exceeded by more than 10% for three days in a row	Removable warning banner.
    Violation	License limit has been exceeded by more than 10% for seven days in a row	Non-removable violation banner. Email sent to account admin.
    Out of Compliance	License limit has been in a violation state for more than 21 days	Services cease. License bill sent to cover ingestion trends since first violation. Refer to Understanding License Compliance for details on bill calculation.

    Refer to Understanding License Compliance for details on the different compliance states, including consequences and tips you can use to stay in compliance.

• License Based on – Can be either Assets or Volume.

• License Threshold – Specifies the daily limit of either assets (quantity) or ingestion (in GB) for your Platform license.

• License Start Date – The date your organization's Platform license took effect.

• Expiration Date – The date your organization's Platform license expires.

• Support Expiration Date – The date your organization's Support license expires. Stellar Cyber continues to operate without a Support license, but features that use definition updates are no longer updated (Threat Intelligence and IDS signatures). Similarly, sensor software is no longer updated and the Malware Sandbox is no longer available.

In addition, the License Summary includes a color-coded Current Status button that lets you see at a glance the state of your Platform License, and a Usage Details button that takes you to the Usage tab corresponding to your Platform license type (Asset Usage or Volume Usage).

Security Sensor License Table

The Security Sensor License table lists the current status of your licenses for Security Sensors, including the number purchased, their expiration dates, and the number in use. Keep in mind the following:

• Licenses are broken out by Bandwidth. There are separate entries for 100 Mbps and 1,000 Mbps Security Sensors.

• Security Sensors can be either physical Device sensors or Modular Sensors with Security features enabled in their Modular Sensor Profile (IDS and/or Malware Sandbox).

• You can see which of your Sensors are Security Sensors in the System | Collection | Sensors list.

History Table

The History table tracks any changes in license status, including application of new licenses, expirations, and transitions in state of compliance.

Using the Asset Usage Tab

The Asset Usage page shows you the daily maximum active assets over the preceding 30 days. If you have an asset-based license, your license limit is based on that average.

As shown in the image below, separate tabs in the Daily Asset Count By Tenant table let you view asset usage By Tenant or By Tenant Groups.

Each entry in the Daily Asset Count By Tenant table includes a View Assets button that lets you drill to an Investigate | Threat Hunting | Interflow Search filtered on the Assets index for the selected tenant and time range. This gives you an easy way to see the exact assets counted for licensing purposes in a given window of time.

Refer to Understanding Asset-Based Licensing for details on how assets are discovered, managed, and counted for licensing purposes.

Using the Volume Usage Tab

The Volume Usage page shows you the data volume consumed for licensing purposes by the top tenants in your organization. Separate tabs let you view volume usage by tenant for the Past 30 Days or the Past 12 Months.

Keep in mind that licensing volume is different than ingestion:

• Ingestion – Ingestion refers to the quantity of data sent by connectors and sensors to the DP prior to enrichment and compression.

• Licensing Volume Once data arrives at the DP, it undergoes additional enrichment and compression before it is stored on disk in the DP. Licensing volume refers to the quantity of actual data stored on disk, post-enrichment and compression. These are the counts used for licensing purposes.

Because of this distinction, the byte counts shown in the System | Administration | Licensing | Volume Usage page will not match those shown in the Visualize | Predefined | Ingestion Dashboard.

The Daily Data Volume table at the bottom provides similar information on a daily basis. Separate tabs let you see daily data volume By Tenant or By Tenant and Index.

Sorting the table by tenant makes it easy to see trends for each tenant.

Volume Usage Calculations Require 24 Hours for Completion

Keep in mind that it takes 24 hours to complete the volume usage calculations for a given UTC day. When a day ends in UTC time, its volume calculations are not final and may show small changes until the end of the next day in UTC time.

For example, consider the day of March 15, 2023. Stellar Cyber shows ingestion values for this day as soon as it concludes in UTC time. However, those values can and will show small changes for another 24 hours and are not complete until the end of March 16, 2023 in UTC time.