Licensing Overview

This page provides an overview of Stellar Cyber licensing, as well as details on how to use the tabs in System | ORGANIZATION MANAGEMENT | Licensing to keep track of it. See the following sections for details:

Only users with Root scope can see and work with the tabs in the Licensing page.

About Stellar Cyber Licenses

Stellar Cyber services are provided using licenses. The fundamental license is a platform license for your organization that can be purchased using either a volume-based license or an asset-based usage license:

  • Volume – The license allows you to ingest a specified amount of data per day.
  • Assets – The license allows you a specified number of daily active assets.

Each of these licenses are applied across all tenants in your organization, regardless of their region.

Supplemental Licenses

In addition to the platform license, you also purchase the following supplemental licenses, depending on your needs:

  • Security Sensor Licenses – Security Sensor licenses allow you to manage a specified number of active sensors, broken down by speed (100 MB and 1,000 MB). A Security Sensor can be either a Modular Sensor with Security features enabled in its profile (IDS and/or Malware Sandbox) or a Security device sensor.

  • Support License – The Support license provides the following:

    • IDS signature updates

    • Threat intelligence updates

    • Access to the Malware Sandbox service

    • Sensor software updates

About License Compliance Notifications

Every day, Stellar Cyber runs a report on the previous day's license usage for your organization. Depending on the results, you may see different notification banners in the Stellar Cyber user interface. In addition, the account admin registered for your organization at the time of purchase receives an email each time there is a state change between the different compliance levels. Refer to Understanding License Compliance for details on the different compliance states, as well as tips you can use to stay in compliance.

Notification banners for license warnings and violations are visible only to users with Root scope and either the Super Admin or Platform Admin role assigned.

Using the Licensing Page

Users with Root scope can use the Licensing page to keep track of all aspects of license provisioning and usage across your organization and its tenants. The Licensing page contains the following tabs:

The Licenses tab appears when you first display the System | ORGANIZATION MANAGEMENT | Licensing page. As illustrated below, it provides separate sections with a summary of the Stellar Cyber Platform license settings and status, Security Sensor license usage, and a History of all events related to changes in license status or usage.

License Summary

The Licenses tab provides the following information for the Platform license:

  • Organization Name – The name provided for your organization when you registered with Stellar Cyber.

  • Organization ID – The internal ID assigned to your organization when you registered with Stellar Cyber.

  • License Key – The license key assigned to your organization when you registered with Stellar Cyber.

  • License Type – The type of license. In most cases, this will be Production, indicating a regular, paid license. Options also exist for Trial and QA.

    • License State – The state of compliance for your Platform license at the time of the daily license report for the previous day's activities. For both asset-based and volume-based licenses, the compliance state can be any of the following:

      License State

      Trigger

      Result
      In Compliance Activity is within license limits Good vibes.
      Warning License limit has been exceeded by more than 10% for three days in a row Removable warning banner.
      Violation License limit has been exceeded by more than 10% for seven days in a row Non-removable violation banner. Email sent to account admin.
      Out of Compliance License limit has been in a violation state for more than 21 days Services cease. License bill sent to cover ingestion trends since first violation. Refer to Understanding License Compliance for details on bill calculation.

      Refer to Understanding License Compliance for details on the different compliance states, including consequences and tips you can use to stay in compliance.

  • License Based on – Can be either Assets or Volume.

  • License Threshold – Specifies the daily limit of either assets (quantity) or ingestion (in GB) for your Platform license.

  • License Start Date – The date your organization's Platform license took effect.

  • Expiration Date – The date your organization's Platform license expires.

  • Support Expiration Date – The date your organization's Support license expires. Stellar Cyber continues to operate without a Support license, but features that use definition updates are no longer updated (Threat Intelligence and IDS signatures). Similarly, sensor software is no longer updated and the Malware Sandbox is no longer available.

In addition, the License Summary includes a color-coded Current Status button that lets you see at a glance the state of your Platform License, and a Usage Details button that takes you to the Usage tab corresponding to your Platform license type (Asset Usage or Volume Usage).

Security Sensor License Table

The Security Sensor License table lists the current status of your licenses for Security Sensors, including the number purchased, their expiration dates, and the number in use. Keep in mind the following:

  • Licenses are broken out by Bandwidth. There are separate entries for 100 Mbps and 1,000 Mbps Security Sensors.

  • Security Sensors can be either physical Device sensors or Modular Sensors with Security features enabled in their Modular Sensor Profile (IDS and/or Malware Sandbox).

  • You can see which of your Sensors are Security Sensors in the System | DATA SOURCE MANAGEMENT | Sensors | Sensors list.

History Table

The History table tracks any changes in license status, including application of new licenses, expirations, and transitions in state of compliance.

Using the Tenant Allocation Tab

The Tenant Allocation tab (System | ORGANIZATION MANAGEMENT | Licensing) lets you view and manage how the licensed capacity for your Stellar Cyber Platform license is distributed among tenants. The capacity shown here comes from the License Threshold in the Licenses tab.

The content in this tab is divided into two sections: important data listed across the top of the tab in Top Summary and a Tenant Allocation table with more detailed information.

Top Summary

The Top Summary consists of the following

  • Total Licenses – Displays the License Threshold from the Licenses tab for the active license type. For ingestion-based licenses, this is the maximum daily ingestion volume in GB/day that your Stellar Cyber Platform license allows. For asset-based licenses, this is the maximum number of assets allowed.

  • Available / Allocated (Root level only) – Shows the amount of licensed capacity that is unassigned (Available) and assigned to tenants (Allocated). Allocations are measured in the same units as the License Threshold. Allocated capacity can exceed the License Threshold if you intentionally over-subscribe.

    When actual usage exceeds the License Threshold, the License State in the Licenses tab changes to Warning. Also a warning banner appears at the top of the UI alerting you that daily usage exceeds licensed limits.

  • Total Usage – Displays the percentage of the License Threshold currently being consumed across all tenants. A value above 100% means total usage exceeds the licensed daily capacity.

Table Columns

The following are the columns that appear in the Tenant Allocation table:

  • Tenant Name – Name of the tenant.

  • Tenant Group – Tenant group that the tenant belongs to.

  • Allocation Quota – The licensed capacity assigned to the tenant. A dash ( – ) means no specific quota is set. Values are in the same units as the License Threshold (GB/day for ingestion-based licenses or asset count for asset-based licenses).

  • Usage – The actual daily usage for the tenant.

  • Usage Level – A color-coded bar showing the tenant’s usage as a percentage of its allocation quota:

    Blue – Usage is within allocation.

    Pink – Usage exceeds allocation.

    Tenants without a quota display a blue bar showing usage relative to their own peak usage.

Screen capture of the Tenant Allocation tab

Interpretation of the screen capture shown above:

  • The License Threshold from the Licenses tab is 5 GB/day, which appears as Total Licenses = 5.

  • Allocations total 60.8016 GB/day across all tenants, meaning the capacity has been over-subscribed more than twelvefold.

  • Tenant-01 has a quota of 42.555 GB/day but is consuming 43.8378 GB/day, so its bar is pink.

  • Tenant-04 has a quota of 1.1111 GB/day and is using 1.7987 GB/day, also shown in pink.

  • Tenant-07 has a quota of 0.2222 GB/day and is using 0.1484 GB/day, so its bar is blue because usage is within allocation.

  • The Total Usage bar is 967.9677%, meaning actual usage across all tenants is more than nine times the licensed limit.

Allocating Capacity to Tenants

To set or change the capacity allocated to a tenant:

  1. In the Allocation Quota column, select the Edit icon next to the tenant’s current value (or dash).

  2. Enter a capacity quota in the same units as your License Threshold (GB/day or asset count).

  3. Save your changes.

Guidelines for Determining Allocations

When deciding how much capacity to allocate to each tenant:

  • Analyze historical usage – Review the Usage column and Volume Usage or Asset Usage tabs to see each tenant’s recent trends.

  • Use the Ingestion Target as a reference – If set when creating the tenant, the Ingestion Target value can serve as a reference point for allocation decisions. This value is for informational purposes only and does not enforce or automatically set the Allocation Quota.

  • Account for growth – Add buffer capacity for tenants expected to grow in assets or ingestion volume.

  • Prioritize critical tenants – Ensure mission-critical tenants receive enough allocation to handle peak load without exceeding their quota.

  • Avoid excessive over-subscription – While over-subscription can improve flexibility, it increases the risk of exceeding the license threshold and triggering warnings.

  • Review regularly – Revisit allocations periodically to adjust for changes in tenant usage patterns.

Role-Based Access Control (RBAC) for Tenant Allocation

Access to the Tenant Allocation tab is governed by both scope and role:

  • Scope levels – Root/Organization, Tenant Group, and Tenant. Users can only view and manage allocations within their assigned scope.

  • Roles – Four default privilege profiles determine the level of access within a scope:

  • Super Admin – Full access, including changing allocations for all tenants in scope.

  • Platform Admin – Subset of Super Admin permissions, can edit allocations within scope.

  • Security Admin – More limited permissions; may have read-only access to this tab depending on configuration.

  • User – Typically view-only access.

    Partner users operate at the Tenant Group scope and can manage allocations for tenants in that group. Only root-level users can manage allocations across all tenants in the platform.

Using the Asset Usage Tab

The Asset Usage tab shows you the daily maximum active assets over the preceding 30 days. If you have an asset-based license, your license limit is based on that average.

As shown in the image below, separate tabs in the Daily Asset Count By Tenant table let you view asset usage By Tenant or By Tenant Groups.

Each entry in the Daily Asset Count By Tenant table includes a View Assets button that pops up an Asset Details view filtered on the Assets index for the selected tenant and time range. This gives you an easy way to see the exact assets counted for licensing purposes in a given window of time.

Refer to Understanding Asset-Based Licensing for details on how assets are discovered, managed, and counted for licensing purposes.

Using the Volume Usage Tab

The Volume Usage tab shows you the data volume consumed for licensing purposes by the top tenants in your organization. Separate tabs let you view volume usage by tenant for the Past 30 Days or the Past 12 Months.

Keep in mind that licensing volume is different than ingestion:

  • Ingestion – Ingestion refers to the quantity of data sent by connectors and sensors to the DP prior to enrichment and compression.

  • Licensing Volume – Once data arrives at the DP, it undergoes additional enrichment and compression before it is stored on disk in the DP. Licensing volume refers to the quantity of actual data stored on disk, post-enrichment and compression. These are the counts used for licensing purposes.

Because of this distinction, the byte counts shown in the System | ORGANIZATION MANAGEMENT | Licensing | Volume Usage tab will not match those shown in the Dashboards | PREDEFINED | Ingestion Dashboard.

The Daily Data Volume table at the bottom provides similar information on a daily basis. Separate tabs let you see daily data volume By Tenant or By Tenant and Index.

Sorting the table by tenant makes it easy to see trends for each tenant.

Volume Usage Calculations Require 24 Hours for Completion

Keep in mind that it takes 24 hours to complete the volume usage calculations for a given UTC day. When a day ends in UTC time, its volume calculations are not final and may show small changes until the end of the next day in UTC time.

For example, consider the day of March 15, 2023. Stellar Cyber shows ingestion values for this day as soon as it concludes in UTC time. However, those values can and will show small changes for another 24 hours and are not complete until the end of March 16, 2023 in UTC time.