Vectra licensing metrics (all products)

Summary of Licensing Guidelines

Vectra subscription licensing is based on usage described in Vectra’s Terms of Service. Licensed quantities are specified on orders, and any unlicensed amounts beyond what is ordered are subject to additional fees payable to Vectra.

Quick Reference

Vectra NDR FAQ

How is Vectra NDR licensed?

• Vectra NDR usage for licensing purposes is based on the 95th percentile of the number of concurrently active IPs observed over a 30-day period. The quantity of monitored IPs is measured in a way consistent with burstable billing (“95th percentile billing”) used by many Internet service providers (ISPs).

• Vectra records the number of active unique internal IPs observed by the brain every 10 minutes. In a month, there are approximately 4320 (6x24x30) samples observed for the active IP count. The top 5% are discarded to determine the 95th percentile value. During a 30-day period, the 95th percentile of this measurement determines the required licensed capacity. The 95th percentile means that 95% of the time, the number of active internal IPs being monitored is at or below the licensed count.

How is this counted in multi-brain deployments?

• The total usage is calculated as the sum of the 95th percentile count of concurrently active IPs on each brain in the estate.

What determines an active IP?

• An active IP is a source IP that is generating traffic and is inside the customer’s network. This could be a PC, laptop, server, IP camera, IP phone, virtual machine, router – anything with a unique internal IP address that is sourcing traffic. When traffic is observed from an internal IP, the system tracks the session as a ‘host session’.

  • As long as the internal IP is generating traffic and active on the network, the IP is counted as an active IP contributing to the license count.

  • If no traffic is observed from an IP in a consecutive 2-hour window, the host session is closed, and the IP is no longer considered to be active.

• For users of Vectra's Zscaler Private Access (ZPA) Log Ingestion Integration who want to know how this integration impacts active IP counts that are used for licensing metrics:

  • Vectra's integration retrieves details from the ingested LSS logs that allow the system to map ZPA usernames to active host sessions observed between your app connectors and the destination hosts/servers.

  • The count of unique ZPA user names observed among these hosts sessions is counted as part of the active IP metric used for licensing.

    • Multiple active sessions for the same ZPA user will only count as 1 active IP.

  • Just like non-ZPA traffic, host sessions that are attributed to ZPA users are closed after 2-hours of inactivity.

What is the difference between a ‘host session’ and a ‘host’?

• A ‘host session’ is created and monitored for each currently active IP on the system. The ‘host session’ is attributed to a ‘host’ based on a mix of artifacts observed on the network (MAC address from DHCP, Kerberos machine auth, DNS requests/responses) and information actively gathered (reverse DNS, data from integrated products such as Carbon Black, CrowdStrike, or VMware). This attribution is done by the hostID subsystem, allowing Vectra to track the ‘host’ even if it changes IP addresses. However, a ‘host’ in Vectra does not necessarily correspond to a physical host. See “What about multi-homed devices?” below.

Are IPs outside my network counted?

• No. Vectra NDR only tracks active IPs that are considered internal to the network. The internal/external setting determines what is considered internal to the network. Any traffic originated from an external IP does not result in a host session and is not counted towards the license count.

Two sensors are seeing the same traffic in my network. Does this cause double counting?

• No. Vectra de-duplicates flows, so only one copy of the flow is processed regardless of the number of sensors that observe it. Thus, Vectra will not account for duplicate flow copies for its detections or the licensing metric.'

Will a host changing IPs lead to double counting?

• No. The platform tracks host objects and maps IP addresses to hosts. If a host changes its IP address (e.g., a DHCP lease expires and the host is provided a new IP), the old host session is terminated, and a new one is created for the new IP address. Thus, a device changing IPs will not lead to double counting in the system.

How are multi-homed devices considered?

• If a machine has multiple NICs, each with its own unique MAC and IP address, traffic observed from each NIC contributes to the licensing metric. Consequently, a device that has 2 NICs and is generating traffic on both will count as two unique active IPs for the duration of the activity.

How can I view the concurrently active IP count or the 95th percentile metric?

• Navigate in the UI to Network Stats > Observed IPs. A complete list of current IPs may be downloaded on-demand using the link at the top right to audit or verify that counts.

• Vectra’s API can also be used to pull a list of the current IPs, including their first-seen and last-seen timestamps. Consult Vectra AI’s API documentation for details.

Based on the deployment of the Vectra sensors, Vectra is collecting more than I care to monitor. How can I reduce the traffic?

• Vectra offers the option to filter out traffic by subnet or VLAN. No traffic from or to the subnet or VLAN will be processed, it will be dropped.

  • In your UI, filtering by subnet can be found at Configuration > Data Sources > Network > Brain Setup > IP Address Classification > Dropped IP Addresses (CIDR).

  • In the CLI, filtering by subnet can be accomplished by using the "set capture-network" command.

    • "show capture-networks" can be used to display the configuration.

  • In the CLI, filtering by VLAN can be accomplished by using the "set capture-vlan" command.

    • "show capture-vlans" can be used to display the configuration.

How are IoT and network-connected OT devices counted for licensing?

• All network devices are counted for licensing, including IoT and network-connected OT devices. All networked devices expose a potential attack surface that attackers can leverage. This includes infrastructure elements like firewalls, switches, and routers, end user devices like laptops, servers physical virtual and in the cloud, and IoT devices like phones, cameras, HVAC and other systems. IP addresses assigned to these entities are considered concurrently active IPs and licensed equally.

How do we license cloud environments that scale up and down quickly? How do we calculate the IP addresses?

• Vectra AI’s burstable billing model described above covers cloud environments as well – the 95th percentile will discard outliers and count VMs used for a significant time. For planning purposes, in AWS, we recommend you access your AWS Cost Explorer dashboard (shown below) for a historical view of the number of deployed VMs. You can use this information to plan NDR IP count requirements. The concurrent IP count graph in the UI includes both cloud and on-premise hosts.

What happens when the metric is over my license count?

• To the extent that you have exceeded the license quantity/volume purchased, you will have thirty (30) days to come into compliance by either (a) remediating the excess usage, such as by filtering out traffic by subnet or VLAN, or (b) performing a license count true-up where you pay Vectra or the authorized reseller for the pro-rated subscription fees for the number of additional licensing quantity/volume required, co-termed through the end of your current subscription term. Subscription fee rates for true-up licenses are based on your most recent and applicable order(s).

• For more information or to discuss your options, contact your Customer Success Manager or Sales Representative.

Vectra IDR for M365 and CDR for Azure AD FAQ

How are CDR for M365 and IDR for Azure AD licensed?

• Vectra’s IDR for Azure AD and CDR for M365 are licensed as separate products. They are each licensed by the number of daily internally active unique identities observed in the past 30 days. The metric of active internal identities is designed to be robust to fluctuations of identities over time and ensures customers are not charged for identities that are disabled but still maintained in the Microsoft system. If an identity is maintained in Microsoft but has not successfully logged in recently, it will not count against Vectra’s license metric.

• Active internal identities are calculated based on whether an identity has successfully authenticated to the tenant and is not labeled as an external entity by Microsoft. Due to how Microsoft provisions and manages users, a single license metric is tracked by Vectra for both products.

How can I view my license metric?

• Please get in touch with your Vectra account team, and they can share a view of your Azure AD and M365 product license metrics.

Vectra CDR for AWS FAQ

How is CDR for AWS licensed?

• CDR for AWS is licensed by the volume of logs processed by Vectra. The metric is MB of logs/day for the most common deployment model in the Vectra Standard and Complete offerings where the Vectra AI Platform is used. Vectra Essential uses a different metric of GB/year where the product is deployed from the Vectra Appliance.

How can I estimate AWS log volumes?

• Please see How To Estimate Log Volume For CDR for AWS for details.

Vectra CDR for Azure FAQ

How is CDR for Azure licensed?

• CDR for Azure is license by the number of resources analyzed by Vectra.

How can I estimate the resource count?

• Please see Estimating CDR for Azure Usage and provide the output to your account team for estimated pricing.