This FAQ will help answer questions you may have regarding licensing within the Kenna product.
What type of asset counts toward my purchased license amount?
Any active assets that are imported from a vulnerability scanning tool or asset management system (like a CMDB) will count towards the total asset count, including assets with no vulnerabilities.
Kenna.AppSec licensing is not being enforced at this time. Any applications, or assets with a File or URL primary asset locator will not count against active licenses.
How will I know what my asset utilization is?
Customer Administrators can access the Kenna License information page to see current licensing utilization. To access, use the gear icon in the top right corner of the Kenna UI and select Licenses. You will see the current number of assets utilized in your Kenna instance along with the number of licenses you have purchased.
You will see a red icon if you are over 100% utilization, a yellow icon if you are within 90% utilization and a green icon if you have utilized less than 80% of your licensed assets.
Will I be warned if I am over my purchased license amount?
Yes! There are different alerting mechanisms to inform users of their utilization both as in-app notifications and emails.
In-app notification alerts
- Alerts will be limited to 1 in-app alert per day and can be dismissed by the user
- All users will receive an in-app alert when the instance exceeds 80% utilization
- All users will receive an in-app alert when the instance exceeds 90% utilization
Banner notification to all users when utilization is over 100%
- When the utilization exceeds 100%, all users will see a red banner at the top of every page
- This banner cannot be dismissed
- The banner will include a link to ‘View Licenses’ that will be accessible by Administrator accounts
Email notifications to Administrator user accounts
- By default Administrator accounts will receive individual email notifications when the Kenna.VM utilization is at 80%, 90% and 100%
- Administrators can disable the 80% and 90% email notification in the Alerts page within Kenna
What happens when my account exceeds the purchased license amount?
You are able to exceed license entitlement by 20% without having to adjust paid licenses. This is meant for temporary changes in capacity and is not legal entitlement. Bursting parameters are subject to change.
When you have hit 100% of your license capacity and exceeded your burst percentage, any net-new asset(s) that come into the Kenna platform will be considered “Overage Assets”. These Overage Assets will be created as an asset entry but will not have any associated vulnerabilities. Overage Assets will be displayed in the Kenna UI and there will be links available to view all of the assets that are in this state.
Any Inactive Assets that should become Active will not become Active and will instead be listed as an Overage Asset. No vulnerabilities will be updated on assets that fall into this scenario. These assets can also be seen on the Overage Assets details page.
How do I view my Overage Assets?
Only Administrator accounts will be able to view Overage Assets. There are multiple ways to view Overage Assets within the UI:
- The Settings License page will also include a link to ‘View Overage Assets’
- The Asset Detail page will indicate if a given asset is an overage asset
- The Explore page will have a column that can be added to the View to display a True/False status of whether an asset is an Overage Asset or not
How do I refresh my data after I increase my license entitlement?
When entitlement is below 100%, full connector runs will occur automatically on the next run to refresh all the asset and vulnerability data within the Kenna platform. To reduce utilization below 100% customers can purchase additional licenses, assets can be purged automatically due to inactivity or assets can be marked inactive manually.
How do I remove assets from counting against my license?
Assets can manually be marked as Inactive and will not count against your license count.
To automatically keep the active vs inactive status of your assets accurate please use best practices to set appropriate inactivity limits. For help setting asset inactivity limits see Setting-Asset-Inactivity-Limits.
Kenna makes every attempt to de-duplicate asset data in the platform by following an asset locator precedence order. This asset locator order can be adjusted to best suit your organization's needs. The default order is:
- Container identifier
- Image identifier
- EC2 identifier
- MAC address
- NetBIOS
- external IP address
- hostname
- URL
- file name
- fully qualified domain name (FQDN)
- internal IP address (RFC 1918)
- scanner-specific asset ID (eg Qualys host ID, Nexpose device-id)
- database
- application
When assets are processed during connector runs, our de-duplication process will start at the top of the locator list. If there is a value in that field, it will compare it to all existing assets in Kenna. If it finds a match, it’ll update the existing asset with the current information from that connector run. If it doesn’t find a match, we will create a new asset. The only way it will continue to #2 and on down the list is if there is no value in that field. For example with the list above, if we didn’t receive a container identifier, we will move down to an image identifier and try and compare with that data. If there’s no image identifier, it’ll move down to an EC2 identifier, etc until we can find a value to use for de-duplication.
For help setting locator order please see Understanding-Locator-Order.
Assets cannot be deleted from within the Kenna UI. This is intentional as the upstream tools/systems should be configured to filter which assets are sent to Kenna. If the upstream tools/systems are not properly updated, assets will continue to be brought into Kenna.
Is this information available in the API?
Yes. You can also get your organization's overage status as 'true' or 'false' from the API. See how here: https://apidocs.kennasecurity.com/reference/entitlements-overage
Users with API access will be able to see an ‘overage’ parameter in the following API endpoints:
- Show asset
- List assets
- Create asset
- Search asset
- Download assets
- Get data export
In addition to the above API endpoints, customers with API access will also see information about overage assets on the POST API endpoints to create new assets or update vulnerabilities on an asset that is in an ‘overage’ state:
- {"success":"false","error":"unprocessable_entity","message":"Cannot create asset while you are in overage"}
- {"success":"false","error":"unprocessable_entity","message":"Cannot create vulnerability on overage asset"}
What about my AppSec assets?
Kenna.AppSec licensing is not being enforced at this time. Any applications, or assets with a File or URL primary asset locator will not count against active licenses.
Comments
Please sign in to leave a comment.