USM Anywhere™

Subscription Management

Role Availability Read-Only Analyst Manager

With a USM Anywhere license you can always view your subscription data in one place. Use the My Subscriptions page to access your license information, event Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. data, and raw log data, and to connect to a USM Central A federation console that enables centralized security monitoring for multiple AlienVault USM Anywhere and AlienVault USM Appliance deployments. instance.

Subscription Data

Go to Settings > My Subscription to open the page. The following table lists the fields you see on the page.

Information on the My Subscription Page
Field Description
License Type Either the trial or subscription license.
License End Date Either the trial expiration date (for trial licenses) or support end date (for subscription licenses). The displayed date depends on your computer's time zone.
Service Tier

The monthly storage limit (250 GB, 500 GB, 1 TB, 1.5 TB, 2 TB, 3 TB, or 4 TB). See https://cybersecurity.att.com/pricing for details or to request a quote.

Important: Tier options do not have unlimited processing power, memory allotment, or disk I/O speeds. In addition to storage per month, your deployment size's impact on any of these factors will influence which tier option is right for your environment. AT&T Cybersecurity recommends pre-deployment sizing discussions with your sales representative to help select the right tier for you.

Licensed Sensors The number of licensed sensors Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation..
Active Sensors The number of active sensors.
Months of cold storage for raw logs

By default, cold storage A secure long-term log retention mechanism. By default, AT&T Cybersecurity stores all data associated with a customer’s subdomain in cold storage for the life of the active USM Anywhere subscription at no additional charge. is unlimited for USM Anywhere customers within their service terms, but unlimited for AT&T Threat Detection and Response for Government (AT&T TDR for Gov) customers for three years. Keep in mind these points:

  • You can export raw logs for a 31-day month, but you are limited to a 30-day span if the range exceeds a single month.
  • Start time is 00:00:00 on the start date selected, and end time is 23:59:59 on the end date selected. So if you select from 1/1/2020 to 2/1/2020, the logs start at 00:00:00 1/1/2020 and end at 23:59:59 2/1/2020.
Total Data Consumed The amount of data USM Anywhere has processed every month.
Remaining Data Available The amount of remaining data you have available for this month.
Projected Data Consumption The amount of data already stored for the month plus calculated data storage needs for the rest of the month. See Projected Data Consumption for more information.
Historical Data Consumption A list of data consumption by month.
Total Event Data The amount of data USM Anywhere has processed.
View Data Consumption by Data Source

A link that opens a dialog box to display the data consumption by data source. The displayed information shows raw data collected from each source. It does not represent the fully enriched and correlated data that is sent to USM Anywhere.

You can filter the information by date.

Total Days of Storage Capability

The total days of available storage capacity.

First Day of Data Storage The first day on which data started to be stored.
Connection to USM Central Indicates whether the USM Anywhere deployment Entire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment. has been successfully connected to a USM Central or not. See Connecting a USM Anywhere to a USM Central for more information.
Suppressed Alarm Synchronization The option to forward suppressed alarms and alarms with a closed status to USM Central. It is disabled by default.

Raw Log Data

Raw log data is data that has been forwarded through your sensors. USM Anywhere stores this data and enables you to extract raw log data for audit purposes or further forensic analysis.

Important: AT&T Cybersecurity recommends that you download the raw log data on a monthly basis.

When requesting raw log files, the date range cannot exceed 30 days. To download more than 30 days' worth of data, you must make multiple requests. Refrain from making all requests at the same time, which may tie up your USM Anywhere instance. You can make 2 or 3 requests, wait for the emails to arrive, and then make your next requests.

To extract raw log data

  1. Go to Settings > My Subscription.
  2. Click Request Raw Log Files.

    My Subscription Main Page, Raw Log Data Section

  3. The Export Raw Log Files dialog box opens.

  4. Select a date range to download the raw log files in ZIP format.

    The date range cannot exceed 30 days.

  5. Click Request Download.

    Export Raw Log Files dialog box

  6. A dialog box informs you that your request is being processed. Keep in mind, this process can take up to 24 hours.

    Important: The beginning date can't be earlier than your first day of storage.

  7. Click OK.
  8. You will receive an email with a link to your file.

  9. Click the link in the email to download the ZIP file.
  10. Extract the zipped bundle and you see the files listed as forensics.log.YYYY-MM-DD.bz2.

Email Notifications Concerning Your License

USM Anywhere sends the following notification Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. emails to the email address associated with your license. Typically, this is the email address used to register the trial or your subscription:

  • A license is changed from trial to subscription.
  • A license tier is upgraded.
  • A license expiration date is updated.
  • The number of sensors allowed is updated.
  • An activated license has expired.
  • An activated license is deleted.