License options
This document provides information about licensing and entitlements for IBM Security QRadar Classic SIEM software.
Listing of licenses by type
These licenses are used when you deploy QRadar Classic SIEM software that runs on the security on premises platform:
- Standard Production License
- Standard Production License entitlements are intended for use in a primary QRadar deployment that actively collects, processes, stores, searches, and uses security data in the QRadar software.
- Disaster Recovery License
- Disaster Recovery License entitlements are intended for use in a QRadar deployment when the primary QRadar system is disabled.
- Non-Production License
- Non-Production License entitlements are intended for use in a QRadar deployment that is dedicated for testing or for sandbox purposes.
- High Availability License
- With High Availability (HA) License entitlements, the secondary host acts as an emergency replacement if a single primary host fails. The secondary host monitors the health of the primary host and actively replaces it upon failure.
What do you get with your purchase of QRadar Classic SIEM software, and what is your entitlement?
QRadar Classic SIEM software helps your organization to enable swift threat detection and response, which is powered by advanced analytics and integrated threat intelligence.
QRadar Classic SIEM software can be deployed as a single host all-in-one solution, where all functionality is delivered as an appliance or as a virtual instance that runs on Red Hat® Enterprise Linux®, or expanded to distribute functionality across an unlimited number of hosts to facilitate growing requirements of your organization.
- Collect, normalize, correlate, store, analyze, and search network log data (Events).
- Collect, normalize, correlate, store, analyze, and search network flow data (Flows).
- Identify and manage network assets.
- Detect real-time correlation and behavioral anomaly for identifying high-risk threats.
- Detect high-priority incidents from billions of data points.
- Provide broad visibility into network, application, and user activity.
- Provide automated event collection, correlation, and reporting capabilities.
Deployment options for QRadar SIEM software
QRadar instances can be deployed in one of several roles as Managed Host that report back to a central console. Managed Host roles are created during initial installation or setup and cannot be changed without reinstalling the software and running the setup process again.
To know more about host types and QRadar architecture, see QRadar deployment overview.
Host deployment options
License and entitlement types
- QRadar Software Install License (Base)
-
- The QRadar base license is the main entitlement that is used to establish and maintain the QRadar User Interface (Console) and control all aspects of the software. A single entitlement for the base license is needed for each deployment and is delivered through a license key that is applied to the console.
- One entitlement to the base license is needed for a compliant QRadar deployment.
- The main license key is the basis for all access to the application, and for control of all Events per Seconds (EPS) and Flow Per Minute (FPM) capacity.
- The base license includes 100 EPS and 15,000 FPM capacity.
- The pricing metric that is used for the base license is Install.
- Events per Second (EPS) Capacity
-
- An Event is a log that is generated by any server, application, or device that can be processed or stored for a specific purpose. For more information, see QRadar events and flows.
- The EPS Capacity entitlement can be purchased through license upgrade entitlements of various EPS increments.
- The EPS capacity entitlement is controlled by the license key that is applied at the console level and allocated to event processors in the deployment. The EPS Capacity entitlemtn can be rebalanced across processors at any time through the UI. Limits on the capacity allowed by each processor is hardcoded at the time that the processor is added to the deployment based on host type. When the capacity limit is reached, new event processors must be added.
- EPS capacity is allocated in minimal increments of 100 EPS.
- The pricing metric that is used for the base license is EPS.
- Flows per Minute (FPM) Capacity
-
- A Flow is a record of communication between two network hosts. All packets that contain the same source IP, destination IP, source port, destination port, and protocol are combined to become one Flow record.
- The Flow Capacity entitlement can be purchased through license upgrades of various FPM increments.
- The Flow Capacity entitlement is controlled at the console level and allocated to flow processors in the deployment through the UI. Capacity can be rebalanced across processors at any time through the UI. Limits on the capacity that is allowed by each processor are hardcoded at the time that the processor is added to the deployment based on host type. When the capacity limit is reached, new flow processors must be added.
- FPM capacity is allocated in minimal increments of 10,000 FPM
- The pricing metric that is used for the base license is FPM.
Note: For more information, see QRadar events and flows. - Data Store Connection Pricing
-
- The QRadar Data Store is an ancillary feature that is designed to collect and store event data without sending the data through full security analytics, therefore bypassing the consumption of EPS capacity.
- QRadar Data Store feature is activated per host through a setting in the UI for all event processors and data nodes that use the feature. The number of hosts that use the QRadar Data Store feature needs to match the number of connection entitlements owned. The QRadar Data Store feature is not controlled by the license key. Users must activate this setting only if the user owns or maintains an active entitlement.
- QRadar Data Store settings are retained when an HA pair fails over to secondary.
- The pricing metric that is used for the base license is Connection.
- Software node
-
- IBM QRadar appliances include the software node entitlement.
- Adding managed hosts to a QRadar deployment inherently adds complexity to the deployment and it is important for support to understand the size or scope of a deployment during troubleshooting. Therefore, a software node entitlement is needed for each managed host.
- All other instances of QRadar installed anywhere except on IBM QRadar appliance require a separate entitlement of the software node to be purchased per managed host.
- Data Synchronization
-
- The Data Synchronization application is an add-on feature that is available for download on the IBM App Exchange and is entitled through a Data Synchronization entitlement.
- Entitlements to use the Data Synchronization application must be purchased for each backup
(destination) node that uses the app.Notes:
- For the Data Synchronization app to function properly, full parity of primary hosts to synchronized is needed before QRadar 7.5.0 Update Package 9.
- Starting with QRadar 7.5.0 Update Package 9, the ability to synchronize only the console host is introduced for which only a single entitlement for the console synchronization is needed.
- High Availability
-
- High Availability hosts provide real-time redundancy upon failure of a primary managed host.
- HA hosts are paired with a specific primary host to create a one-on-one relationship. The HA host can monitor or back up only one host at a time.
- The HA pair operates by using a heartbeat monitor in which the HA host is ready to replace the primary host upon failure without any user intervention.
- After the primary host is restored to an active state, the primary host returns to its normal role and the HA host resumes its role as an active failover host.
- The HA system inherits all primary host configuration, data, and settings, which are then restored in their original form when the primary server resumes operation.
- HA license entitlements are universal and are purchased or deployed on a per host basis.
Note: HA pairing is not supported by all managed hosts. - QRadar Network Insights (QNI)
- Available for purchase as an appliance or can be deployed as a virtual instance.
The following additional products and modules are available as add-on:
- Vulnerability and Risk Manager (QVRM)
-
- Single license entitlement and key to access the Vulnerabilities tab in UI.
- It can be managed with a different expiration date.
- Functionality includes an expanded asset database and ability to manage third-party scanning tools and results.
- Scans details that are moved to the legacy section.
- Risk Manager (QRM)
-
- Included in Vulnerability Manager base entitlement post 2018.
- Limited functionality unless dedicated managed host for Risk Management (type 700 host) is deployed.
- After full deployment, scans 50 standard configuration sources.
- It has a separate expiration date.
- The expiration date and configuration source limitation are controlled by a separate license key.
- It has two types of configuration sources mainly Standard (local network) and Remote or Branch (network assets over VPN).
- Incident Forensics (QIF)
-
- A single license or entitlement to access the Forensics tab.
- The expiration date is the only enforced parameter.
- Operates on separate software ISO or code and integrates with main QRadar UI.
- Network Packet Capture (NPCAP)
-
- Single license or entitlement for each deployed instance.
- An individual UI is not available and it is managed through QIF functionality.