Understanding Asset-Based Licensing

As described in Licensing Overview, the DP can be licensed based on a count of the number of daily active assets. This topic provides details on asset-based licensing, including how assets are sourced, discovered, and counted for licensing purposes.

You can schedule and export PDF/CSV reports for Asset and Ingestion licenses from the Respond | Reports | License Usage page.

Refer to Understanding License Compliance for details on how Stellar Cyber enforces license policies.

Asset-Based Licensing Overview

For licensing purposes, assets are defined as the combination of unique devices and users discovered across the environment on any given day.

Keep in mind that this definition of an asset for licensing purposes is different from the security assets found under Asset Analytics and pivotable from data to corresponding Asset Detail Views.

Asset discovery is performed differently for licensing than it is for security workflows:

  • Asset Discovery for Licensing – Designed for simplicity.

  • Asset Discovery for Security Workflows – Resolved through a more complex process to catch corner cases useful for analysts.

    Refer to MAC or IP-Identified Assets for details on how assets are discovered for security workflows.

Asset Sourcing

Stellar Cyber uses a passive service to identify assets from observed data. Assets can be discovered via data collected by any of the following:

  • Endpoint Data Sources (for example, EDR or Directory Services)

    Can be performed either through Log Forwarders or Connectors

  • Cloud Audit Logs

  • Traffic Related Sources (for example, Firewall)

  • Stellar Cyber Server Sensors (Linux and Windows)

  • Stellar Cyber Modular Sensors

  • Other Log Sources or Connectors (for example, VPN or ZTNA)

The data collected from these sources travels through an asset licensing discovery pipeline to identify the unique assets per tenant, per day. The pseudocode for that pipeline is found below, simplified from the actual code for readability.

Asset Discovery

As mentioned in the overview, the design goal for asset-based licensing is to count assets with the simplest method possible. The design relies on simplicity because it is easy to understand, predict, trust, and scope. Although certain corner cases won’t be counted perfectly due to this simplicity, this is by design.

The total number of licensed assets per tenant per day is the total number of unique devices (measured by internal Source IP addresses) plus the total number of unique users (measured by email addresses).

Device Discovery

The total number of licensed device assets is the combination of the two asset discovery models described below:

Endpoint Data Sources (Most Trustworthy)

Certain data sources, such as EDRs, Directory Services, or Cloud Service Lists, allow a direct query of their asset inventory. In these cases, the host IP is discovered as an asset. For example:

Copy
IF (msgtype == "Asset Record" AND msg_origin.source IN trusted_data_source) 
AND NOT (msg_origin.category == "firewall" OR msg_origin.category == 
"traffic"):

    return(asset)

Inference Devices (From Sensors, Firewall, VPN, Traffic, etcetera)

Most data sources do not contain their own device inventory inherently. In this case source IP addresses are discovered as assets if they are found in telemetry with both a source and destination IP AND at least two distinct destination IP addresses involved on a given day. For example:

Copy
IF (srcip.exists() AND dstip.exists() AND count(distinct(dstip)) >= 2 AND 
srcip.is_internal()):

    return(srcip)

User Discovery

The user discovery model finds unique users in Identity, Directory Service, and SaaS sources. Stellar Cyber uses filtering logic to ensure that identified users represent real user accounts and not an alias or something of no security value. The simplified logic for user discovery is as follows:

Copy
IF (msg_origin.category == "identity" OR msg_origin.category == 
"office_suite" OR msg_origin.category == “directory”):
 
    IF (record.is_valid_user_account()):

        return(record.email)

Each data source has a different implementation of is_valid_user_account(). Stellar Cyber studies each data source and employs conservative discovery methods. For example, the implementation for Google Workspace is as follows:

Copy
// Exclude non user records like 3rd party calendar apps
IF (gsuite.actor.profileId.exists()
    AND gsuite.email.is_valid_email()
    AND NOT event_detail.owner.exists()
    AND NOT event_details.calendar_id.exists()):

        return(True)

Asset Counting

The Asset Discovery process happens in real time as new data comes into the system. Each day at 11:59 PM UTC, Stellar Cyber counts the total of all the unique assets (devices and users) per tenant for that given day. Importantly, if an IP address is discovered across multiple sources on a given day, it is only counted once for that day. The results are reported in the System | Licensing | Asset Usage page.

Example

The following example shows how this works for a sample customer with two tenants:

  • Tenant A has a Crowdstrike connector and a Modular Sensor deployed

  • Tenant B has an Office 365 connector and three Windows Server Sensors deployed

Tenant A Asset Data

Tenant A has the following asset data from it sources on Day 1:

  • CrowdStrike Connector

    • Assets – 192.168.0.1, 192.168.0.2

  • Modular Sensor

    • Discovered one traffic event sourced from 192.168.0.3 and ten traffic events sourced from 192.168.0.1

Tenant B Asset Data

Tenant B has the following asset data from its sources on Day 1:

  • Office 365 Connector

    • Valid Users - bob@tenantb.com, alice@tenantb.com

  • Windows Server Sensors

    • Deployed on three devices – 192.168.0.1, 192.168.0.2, 192.168.0.3

Total Day 1 Discovered Assets

The total number of discovered assets on for this user across all tenants on Day 1 is 7, as summarized in the table below:

Day

Tenant

Asset

Type

Sources

Day 1 Tenant A 192.168.0.1 Device CrowdStrike, Modular Sensor
Day 1 Tenant A 192.168.0.2 Device CrowdStrike
Day 1 Tenant B bob@tenantb.com User Office 365
Day 1 Tenant B alice@tenantb.com User Office 365
Day 1 Tenant B 192.168.0.1 Device Windows Sensor
Day 1 Tenant B 192.168.0.2 Device Windows Sensor
Day 1 Tenant B 192.168.0.3 Device Windows Sensor
TOTAL ASSETS

Tenant A & Tenant B

7

n/a

n/a

Frequently Asked Questions

If a server device has multiple IP addresses, is it only counted once?

No, it is counted as many times as the number of discovered source IP addresses.