Understanding Asset-Based Licensing
As described in Licensing Overview, the DP can be licensed based on a count of the number of daily active assets. This topic provides details on asset-based licensing, including how assets are discovered, managed, and counted for licensing purposes.
You can schedule and export PDF/CSV reports for Asset and Ingestion licenses from the Respond | Reports | License Usage page.
The page also includes a section covering Frequently Asked Questions on Asset Licensing
Asset Licensing Overview
Asset licensing is based on the following processes:
-
Asset Discovery – The discovery of assets based on all available data sources
-
Asset Management – The continuous management of assets seen in a deployment
-
Asset Licensing Counting – Daily counts of active assets for purposes of comparing to license limits
Asset Discovery and Asset Management are the same processes that build data shown under Investigate | Asset Analytics, in addition to supporting license counting.
Asset Discovery
Stellar Cyber uses a passive discovery service to identify assets from observed data. Assets can be discovered via data collected by any of the following:
-
Network Sensors
-
Log Forwarders
-
Linux and Windows Server Sensors
-
Connectors (some)
At a high level, any device with an observed MAC address or internal IP address is identified and tracked as an asset. The discovery service uses data extracted from Dynamic Host Configuration Protocol (DHCP) and Domain Name Service (DNS) traffic to keep its running list of assets up to date, as well as to eliminate any duplicates when an asset has multiple MAC or IP addresses.
To improve the accuracy of asset counting, the discovery process does not count destination IP addresses that have not sent packets. This prevents the counting of, for example, IP addresses that were sent SNMP or ICMP requests but did not respond.
Asset Management
The asset discovery process results in a list of assets tracked with the following data:
-
MAC Addresses
-
IP Addresses
-
Hostnames
How Stellar Cyber Uses Incoming Asset Data to Create and Updates Assets
Different data sources provide different asset information, often reporting more than one value for a given field. For example, an EDR agent may report that a server has one MAC Address, two IP Addresses, and one Hostname while network traffic may show only one IP address and no associated MAC Addresses or Hostnames.
Stellar Cyber tries to define an asset as a single device, making logical sense of the different addresses and hostnames received in asset data from different sources. However, because of differences in infrastructure and networking, there are always corner cases and seeing those corner cases in the data is expected.
In general, Stellar Cyber uses the following logic to determine whether incoming asset discovery data is used to update an existing asset or create a new one:
-
If
incoming asset discovery data shows a MAC Address that is already in Asset Management, use the asset discovery data to update its associated IP Addresses and Hostnames, if available. -
Else
if the asset discovery data shows a Hostname that is already in Asset Management, use the asset discovery data to update its associated IP Addresses, if available. -
Else
if the asset discovery data shows an IP address that is already in Asset Management, use the asset discovery data to update other linked IP Addresses, if available. -
Else
, add the asset discovery record to Asset Management.
Example
Consider an existing Asset Management record with the following data:
-
<MAC Addresses: [ABC], IP Addresses: [123], Hostname: []>
In this case, if newly received asset discovery data shows the same MAC address associated with IP Address 456
and Hostname XYX
, Stellar Cyber uses Rule 1 in the previous section to update the record as follows, adding the newly discovered IP address and hostname:
-
<MAC Addresses: [ABC], IP Addresses: [456, 123], Hostname: [XYZ]>
Router Identification
In addition to tracking IP addresses, MAC addresses, and hostnames, Stellar Cyber also looks for situations where a high number of IP addresses are associated with only a few MAC addresses and classifies such assets as routers.
Pruning Dormant IP Addresses
Because of the dynamic nature of IP address assignment through mechanisms such as DHCP, Stellar Cyber phases IP addresses without associated MAC addresses or hostnames out of Asset Management after three days of inactivity (default value; configurable). This is the only scenario where Stellar Cyber phases an asset out. You can prevent IP address assets from being phased out by marking them as static in the Investigate | Asset Analytics | IP Identified Assets page.
You can tell which assets are subject to pruning in the Investigate | Asset Analytics page's primary views:
-
MAC Identified Assets – These assets have a MAC Address tracked and are not deleted after discovery.
-
IP Identified Assets – These assets do not have a MAC Address tracked and are phased out after a specified number of days of inactivity (three, by default) if not marked as static.
Asset License Counting
Every day, Stellar Cyber takes a snapshot of the assets that were active during the previous day and reports the results in the System | Licensing | Asset Usage page. An asset is considered active if it was seen in one or more data sources during the previous day.
Keep in mind that the total number of assets reported in the System | Licensing | Asset Usage page is typically less than the sum of the assets shown in the MAC Identified Assets and IP Identified Assets pages. This is because the Asset Usage page reports only those assets that were active the previous day, while the MAC Identified Assets and IP Identified Assets pages report both active assets and ones that were seen previously but were not active during the previous day. Only those assets that were active the previous day count against your licensed total.
Asset license violations are reported as follows:
-
Stellar Cyber reports a violation of the asset license if the count of active assets during a given day exceeds the license limit by 10% or more.
-
Stellar Cyber reports a more serious violation if the count of active assets exceeds the license limit by 10% or more for five days in a row.
-
Stellar Cyber reports a monthly violation if the count of active assets exceeds the license limit by 10% or more for 10 or more days in a given month (not necessarily consecutive days).
Frequently Asked Questions on Asset Licensing
How can assets be filtered out to prevent them from being counted against my licensed total?
The only way to filter out an asset to prevent it from counting against your licensed total, is to set filters to remove that asset before ingestion for each data source where it could be discovered. Because only active assets are counted towards your licensed total on any given day, rarely-discovered assets won’t have a major effect on average daily counts.