QRadar Suite Software License Guide

This document provides information about licensing and entitlements for IBM Security QRadar® Suite Software.

Note: This License Guide is intended to provide only supplementary information to assist you in deploying the Program(s) you have licensed from IBM® within your purchased entitlement. Your license agreement (such as the IBM International Program License Agreement (IPLA) or equivalent and its transaction documents, including the License Information for QRadar Suite Software, is the sole and complete agreement between you and IBM regarding use of the Program.

Listing of licenses by type

These licenses are used when creating instances of the QRadar Suite Software components in the <spec.license.license> field of each custom resource:

Full License
Full Licenses include OpenShift® Container Platform support entitlements. These licenses can be deployed in the Production or Non-production environment. See Products that can be deployed on Red Hat OpenShift for more details on Red Hat® OpenShift Container Platform support entitlements.
Disaster Recovery License
Disaster Recovery Licenses include OpenShift Container Platform support entitlements. These licenses are meant to be deployed for use in Disaster Recovery environments. See Products that can be deployed on Red Hat OpenShift for more details on Red Hat OpenShift Container Platform support entitlements.

The following table shows license versions.

License Usage Description
L-NWEX-96T6RE Production or Non-Production IBM Security QRadar Suite Software
L-YKWB-P4Y8LV Disaster recovery IBM Security QRadar Suite Software - Disaster Recovery

What do you get with your purchase of IBM Security QRadar Suite Software, and what is your entitlement?

IBM Security QRadar Suite Software helps your organization detect and investigate threats, orchestrate, and automate actions; and respond faster to security incidents across hybrid multi-cloud environments. It includes enterprise ready, containerized software products that run on IBM Security Platform and require Red Hat OpenShift. IBM Security Platform supports Linux® 64-bit (X86_64) Only today.

The following products are included in the IBM Security QRadar Suite Software package.
  • QRadar SOAR
  • QRadar SOAR Breach Response Add-on
  • QRadar SIEM
  • QRadar NDR
  • QRadar Data Store
  • QRadar EDR
  • QRadar EDR Enterprise
  • Risk Manager
The following products run on the IBM Security Platform.
  • QRadar SOAR
  • QRadar SOAR Breach Response Add-on
  • QRadar EDR
  • QRadar EDR Enterprise
  • Risk Manager
The following products are considered Bundled offerings.
  • IBM Security QRadar SOAR Platform
  • IBM Security SOAR Breach Response Add-on
  • IBM Security QRadar SOAR Team Management Add-on
  • IBM Security QRadar SOAR MSSP Add-on
  • IBM Security QRadar SOAR Actions Enterprise
  • IBM Security QRadar SOAR App Host
  • IBM Security QRadar Software
  • IBM Security QRadar Capacity
  • IBM Security QRadar Software Node
  • IBM Security QRadar Network Insights Software
  • IBM Security QRadar Data Store
  • IBM Security QRadar Data Synchronization
  • IBM Security QRadar High Availability Software
Virtual images of these products are included in the package, and are bundled in as follows.
QRadar SOAR
Includes the following - IBM Security QRadar SOAR Platform, IBM Security QRadar SOAR MSSP, IBM Security QRadar SOAR Team Management, IBM Security QRadar SOAR Actions Enterprise, IBM Security QRadar SOAR App Host
IBM Security SOAR Breach Response
QRadar SIEM
Includes the following - IBM Security QRadar Software,IBM Security QRadar Event Capacity, IBM Security QRadar Data Store, IBM Security QRadar Software Node, IBM Security QRadar High Availability Software, IBM Security QRadar Data Synchronization
QRadar NDR
Includes the following - IBM Security QRadar Software, IBM Security QRadar Flows Capacity, IBM Security QRadar Software Node, IBM Security QRadar Network Insights Software, IBM Security QRadar High Availability Software, IBM Security QRadar Data Synchronization
QRadar Data Store
Includes the following - IBM Security QRadar Data Store, IBM Security QRadar Software Node, IBM Security QRadar High Availability Software, IBM Security QRadar Data Synchronization
The following capabilities are included with QRadar SOAR, QRadar SIEM, and QRadar NDR entitlements. There are no additional license entitlements that are required to use these capabilities.
  • Data Explorer
  • Threat Investigator
  • Threat Intelligence Insights
Note: These capabilities are containerized and require the deployment of Red Hat OpenShift Container Platform.

If licensee chooses to deploy the capabilities, then you will need to deploy the IBM Security Platform. Deployment of Red Hat OpenShift Container Platform is a pre-req to deploy the IBM Security Platform.

If customers with perpetual license entitlement do not renew Subscription and Support, their support access key will expire, and they will no longer able to download product images from the IBM entitled registry (cp.icr.io). They will therefore lose access to the product images unless they mirror the product images from the IBM entitled registry to a customer-owned registry (before Subscription and Support lapses) and configure their system to pull from this registry.

When deploying any of the bundled offerings under the QRadar Suite Software, licensee must not exceed the maximum entitlement at any time. Deployments can include a mix of different deployed products, either bundled offerings, or Products that run on IBM Security Platform, or a combination of both. Licensee can change the deployed offerings at any time as long as they never exceed their maximum entitlement. See Products that can be deployed on Red Hat OpenShift to learn more about which deployments require the Red Hat OpenShift Container Platform.

Differences in license terms

The license terms for QRadar Suite Software supersede the license terms of the bundled offerings. However, this policy applies only when there is a conflict of terms. Terms that apply to the bundled programs still apply, if not superseded.

Note: All deployments of QRadar Suite Software that are deployed on IBM Security Platform, and that run on Red Hat OpenShift Container Platform must have sufficient support entitlement for the Red Hat OpenShift Container Platform cores that are used.

License options and pricing models for QRadar Suite Software

QRadar Suite Software is available as either Perpetual, or a Subscription License.

For more information about IBM perpetual and subscription licenses, see Passport Advantage® Licensing Overview.

Licensee can purchase Resource Units and apply them to the products and pricing model of choice. Licensee has the option to pick from the following two pricing models.

Enterprise model
This model offers predictable pricing at enterprise scale, and is based on the size of the IT infrastructure. The pricing metric is Managed Virtual Servers (MVS). All Physical and Virtual Server are counted in the customer environment. This model offers unlimited users, actions, and data ingestion.
Usage model
This model is usage-based, and is ideal for starting small and scaling as you grow. Pricing metrics vary based on the product. See usage pricing metric under each product section.

License cannot mix or match pricing models across the same product in the package. Licensee cannot mix license entitlements for QRadar Suite Software and stand-alone products like SIEM, NDR, or SOAR.

License must license a minimum of 100 MVS to use the Enterprise license. For example: If a Licensee has 80 servers in their organization, they should use the Usage model.

License ratios

Deployed instances of products in QRadar Suite Software are charged at different rates based on their ratios.

Entitlements of QRadar Suite Software that are deployed can be redeployed to other products, as long as the total entitlement is not exceeded, using the ratios to calculate your total entitlements. There is no limit to the number of times that entitlements can be used in different combinations.

The following table shows the license ratios.

Product RU ratio (Enterprise Model) RU ration (Usage Model)
QRadar EDR 1 MVS : 12 RU 5 CD : 16 RU
QRadar EDR Enterprise 1 MVS : 16 RU 5 CD : 22 RU
QRadar SOAR 1 MVS : 5 RU 1 AU : 1000 RU
QRadar SOAR Breach Response Add-on 1 MVS : 1 RU 1 AU : 150 RU
QRadar SIEM 1 MVS : 12 RU 100 EPS : 120 RU
QRadar Data Store 1 MVS : 2 RU 1 AU : 500 RU
QRadarNDR 1 MVS : 7 RU 10K FPM : 300 RU
Risk Manager 1 MVS : 2 RU 1 MVS : 2 RU

Products that can be deployed on Red Hat OpenShift

The following products can be deployed on the IBM Security Platform and hence require the deployment of Red Hat OpenShift Container Platform.

  • QRadar SOAR
  • QRadar SOAR Breach Response -Add On
  • QRadar EDR
  • QRadar EDR Enterprise
  • Risk Manager
Note: QRadar SOAR and QRadar SOAR Breach Response have the option of being deployed as a virtual image as well. Risk Manager can only be deployed on the IBM Security Platform.

The following capabilities are included with QRadar SOAR, QRadar SIEM, and QRadar NDR entitlements. There are no additional license entitlements that are required to use these capabilities.

  • Data Explorer
  • Threat Investigator
  • Threat Intelligence Insights

If licensee chooses to deploy the above capabilities, then licensee will need to deploy the IBM Security Platform. Deployment of Red Hat OpenShift Container Platform is a pre-req to deploy the IBM Security Platform.

The capabilities are containerized and requires the deployment of Red Hat OpenShift Container Platform.

If licensee chooses to deploy the capabilities, then licensee needs to deploy the IBM Security Platform. Deployment of Red Hat OpenShift Container Platform is a prerequisite to deploy the IBM Security Platform.

Red Hat OpenShift Container Platform

The term entitlement refers to software subscription and support for the Red Hat OpenShift Container Platform. The term Restricted license entitlement refers to software subscription and support for the Red Hat OpenShift Container Platform acquired according to your QRadar Suite Software license and is provided only for use of the Red Hat OpenShift Container Platform. Restricted license entitlement is provided specifically for the QRadar Suite Software workloads and not provided for the non-QRadar Suite Software workloads

When deploying programs under the containerized deployment, as part of a QRadar Suite Software deployment, deployment of Red Hat OpenShift is required. Restricted license entitlement for the Red Hat OpenShift is provided as follows:
  • 85 cores of Red Hat OpenShift Container Platform if the licensee obtains 0-20,000 RU entitlements of the Program.
  • 135 cores of Red Hat OpenShift Container Platform if the licensee obtains 20,001-100,000 RU entitlements of the Program.
  • 235 cores of Red Hat OpenShift Container Platform if the licensee obtains 100,001 or more RU entitlements of the Program.

You can use the Restricted license entitlement only for deployments of QRadar Suite Software instances and not for other third-party deployments or custom code. If you deploy other code or components (such as agents used for monitoring QRadar Suite Software capabilities), you must purchase separate Red Hat OpenShift entitlements to make available to the cluster. Otherwise, the deployment of the non-QRadar Suite Software workload on those Red Hat OpenShift licenses result in those Red Hat OpenShift cores, and potentially the workload itself, being unsupported. These additional Red Hat OpenShift entitlements for the running non-QRadar Suite Software workload must be procured separately from the Red Hat OpenShift entitlements that are granted through QRadar Suite Software. The workload that you run on separately purchased Red Hat OpenShift entitlement does not need to be deployed separately from QRadar Suite Software workload that runs on QRadar Suite Software-procured Red Hat OpenShift cores. To receive support for the complete deployment of non-QRadar Suite Software workloads, the number of separately purchased Red Hat OpenShift cores must be equal to or greater than the number of cores of non-QRadar Suite Software workloads that are deployed on them.

An example of QRadar Suite Software workload might be agents for monitoring. The agents that run alongside the QRadar Suite Software components and then send the monitoring data out to a separate monitoring server component, can be run in the same nodes or namespaces as components that run in Red Hat OpenShift cores by using entitlements under QRadar Suite Software. For all non-QRadar Suite Software workloads, you must have separately procured software subscription and support entitlements in addition to the monitoring agents.

The number of cores of Red Hat OpenShift entitled with QRadar Suite Software varies by the number of resource units that are purchased and does not vary by the ratio of the bundled offerings, which are deployed under QRadar Suite Software entitlement. Therefore, the number of cores that are needed for deployment of bundled offerings in QRadar Suite Software can, in some scenarios, exceed the number of Red Hat OpenShift cores available as part of the entitlement for QRadar Suite Software. In such cases, the customer must buy additional entitlement for Red Hat OpenShift to ensure that they licensed correctly. Only Red Hat OpenShift cores that are deployed as worker nodes count against the Red Hat OpenShift entitlement.
Note: Organizations deploying QRadar Suite Software on managed Red Hat OpenShift environments in public clouds such as AWS ROSA, IBM ROKS, or Azure ARO may get discounts on the cost of Red Hat OpenShift on the worker nodes. QRadar Suite Software is deployed on the worker nodes based on the Red Hat OpenShift entitlements that are included in QRadar Suite Software entitlements. For availing any discount, customers must verify with their public cloud service provider.

IBM Storage Fusion (Additional flat entitlement)

Limited entitlements of IBM Storage Fusion are included with IBM Security QRadar Suite Software. Maximum usable capacity of 12 terabytes (TB) per Red Hat OpenShift cluster is included. Use of IBM Storage Fusion as a part of QRadar Suite Software entitlement is limited only to Fusion Data Foundation in internal deployment mode. In internal deployment mode, the disaster recovery, backup components, data cataloges, and advanced encryption with KMS features are excluded.

IBM Security QRadar SOAR

Licensee has the choice of installing QRadar SOAR using one of the following options:
  • Install the QRadar SOAR application on the IBM Security platform.
  • Install stand-alone QRadar SOAR on a virtual appliance.
  • Install stand-alone QRadar SOAR on RHEL - Bring Your Own License (BYOL).
Important: Red Hat OpenShift is not a prerequisite for the installation of the stand-alone installation option of QRadar SOAR. However, it is a prerequisite for the SOAR deployment on the IBM Security Platform.

The following capabilities - Data Explorer, Threat Investigator, and Threat Intelligence Insights are included as part of the QRadar SOAR Entitlement. If the licensee plans to install any of these capabilities, the licensee will need to deploy the IBM Security Platform. Red Hat OpenShift Container Platform is a prerequisite to deploy the platform in this case.

A license key is required to access QRadar SOAR capabilities.

To acquire a license key for QRadar SOAR or SOAR Breach Response entitlements, send an email to q1pd@us.ibm.com and include the following information in your request:

  • IBM Customer Number (IBM Content Navigator)
  • Site ID or your Proof of Entitlement (POE)

To acquire a License key for our Enterprise Licensing Agreement (ELA) Customers, contact your IBM Sales Representative.

Licensee must have entitlement for QRadar SOAR to use the QRadar SOAR Breach Response add-on. Licensee must license a matching set of entitlements for QRadar SOAR and QRadar SOAR Breach Response.

QRadar SOAR and QRadar SOAR Breach Response are licensed on either Enterprise Pricing Model or Usage Model. For more details, see License options and pricing models for QRadar Suite Software. Pricing Metric for Enterprise Model is Managed Virtual Server & the Pricing Metric for the Usage model is Authorized User. Licensee is required to license a minimum quantity of two (2) the Authorized Users when licensing by the Usage Model.

IBM Security QRadar SIEM and QRadar NDR

QRadar SIEM or QRadar NDR is available as a virtual appliance only. It is not available on the IBM Security Platform and hence does not require deployment of the Red Hat OpenShift Container Platform.

A license key is required to access IBM QRadar SIEM or QRadar NDR capabilities.

To acquire a license key, contact q1pd@us.ibm.com and include the following information in your request:

  • IBM Customer Number (ICN).
  • Site ID or your Proof of Entitlement (POE).
  • For QRadar SIEM, include the quantity of Multiple Virtual Storage (MVS™) or Events per Second (EPS) purchased.
  • For QRadar NDR, include the quantity of MVS or flows per minute (FPM) purchased.

QRadar SIEM and QRadar NDR are licensed on either Enterprise Pricing Model or Usage Model. For more details, see License options and pricing models for QRadar Suite Software. Pricing Metric for Enterprise Model is Managed Virtual Server (MVS) & the Pricing Metric for the Usage model is Events per Second (EPS) for SIEM and Flow Per Minute (FPM) for NDR.

Note: Licensee must obtain MVS entitlements for each physical or virtual server, managed directly or indirectly by QRadar SIEM. Every IP address from a log source that is ingested directly or indirectly by QRadar SIEM, excluding Network Infrastructure & Client Devices (see below), is counted as a physical or a virtual server. If licensee is unable to determine the count of all servers, then we recommend them to use the EPS/FPM metric.

Physical and Virtual Servers exclude Network Infrastructure and Client Devices, even if the IP address appears in QRadar SIEM as a log source.

Here is what is included in those categories:
Network Infrastructure
Switches, Routers, Audio-Visual (AV), File Integrity Monitoring (FIM), Proxies, Intrusion Prevention Systems (IPS), File Activity Monitoring (FAM), Data Loss Prevention (DLP), load balancers, firewalls.
Client Devices
A Client Device is a single user computing device or special purpose sensor or telemetry device that requests the execution of or receives for execution a set of commands, procedures, or applications from or provides data to another computer system that is typically referred to as a server or is otherwise managed by the server. Multiple Client Devices may share access to a common server. A Client Device may have some processing capability or be programmable to allow a user to do work. Examples include, but are not limited to actuators, appliances, automated teller machines, automatic meter readers, cash registers, disk drives, desktop computers, kiosks, notebook computers, personal digital assistant, point-of-sale terminals, sensors, smart meters, tape drives, and technical workstations.
The following image is an example of what is counted as an MVS.
Figure 1. What is counted as an MVS?
image that shows what is counted as an MVS for licensing

The following capabilities - Data Explorer, Threat Investigator, and Threat Intelligence Insights are included as part of the QRadar SIEM or QRadar NDR entitlement. If the licensee plans to install any of these capabilities, the licensee will need to deploy the IBM Security Platform. Red Hat OpenShift Container Platform is a prerequisite to deploy the platform in this case.

IBM Security QRadar EDR and QRadar EDR Enterprise

QRadar EDR and QRadar EDR Enterprise are only available on the IBM Security Platform and hence require deployment of the Red Hat OpenShift Container Platform.

Both QRadar EDR and QRadar EDR Enterprise are licensed on either Enterprise Pricing Model or Usage Model. For more details see License options and pricing models for QRadar Suite Software . Pricing Metric for Enterprise & Usage Model is Managed Virtual. In case of the Enterprise Model, the licensee needs to count all physical and virtual servers in the Enterprise, and in case of Usage they must count all Client Devices in their Enterprise.

Licensee is required to license a minimum quantity of 100 Client Devices when licensing via the Usage Model and a minimum Qty of 30 MVS if using the Enterprise Model.

Note: MVS Model for QRadar EDR, QRadar EDR Enterprise can only be used if you have QRadar SIEM licensed under the MVS metric.

IBM Security Risk Manager

IBM Security Risk Manager is only available on the IBM Security Platform and hence requires deployment of the Red Hat OpenShift Container Platform.

Risk Manager is licensed on either Enterprise Pricing Model or Usage Model. For more details, see License options and pricing models for QRadar Suite Software. Pricing Metric for Enterprise & Usage Model is Managed Virtual. In case of the Enterprise Model licensee need to count all physical and virtual servers in the Enterprise, and in case of Usage they count only the managed physical and virtual servers in the Enterprise.