USM Anywhere™

Subscription Management

Role Availability Read-Only Analyst Manager

With a USM Anywhere license, you can always view your subscription data in one place. Use the My Subscription page to access your license information, event Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. data, and raw log data, and to connect to a USM Central A federation console that enables centralized security monitoring for multiple AlienVault USM Anywhere and AlienVault USM Appliance deployments. instance.

Subscription Data

Go to Settings > My Subscription to open the page.

My Subscription Main Page

The following table lists the fields you see on the page.

Information on the My Subscription Page
Field Description
License Usage
Total Searchable Data The total remaining data available in the hot storage.
Consumed Data The amount of data USM Anywhere has processed every month.
Projected Data Consumption The amount of data already stored for the month plus calculated data storage needs for the rest of the month. See Projected Data Consumption for more information.
Sensors The number of licensed sensors Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. and pending deployment sensors. Click Manage Sensors to open the Sensors page. See Sensors Page Overview for more information.
Purge Event Data The ability to purge data will soon be deprecated.
EPS Events per second (EPS) in the last 24 hours.
Filtered EPS Percentage of filtered EPS in the last 24 hours.
Filtering Rules Number of filtering rules in your environment. Click Manage Rules to open the Filtering Rules page. See Filtering Rules from the Orchestration Rules Page for more information.
License Information
License Type Either the trial or subscription license.
Service Tier

The monthly storage limit. See AT&T Cybersecurity pricing page for details or to request a quote.

Important: Tier options do not have unlimited processing power, memory allotment, or disk input/output (I/O) speeds. In addition to storage per month, your deployment size's impact on any of these factors will influence which tier option is right for your environment. AT&T Cybersecurity recommends pre-deployment sizing discussions with your sales representative to help select the right tier for you.

License End Date Either the trial expiration date (for trial licenses) or support end date (for subscription licenses). The displayed date depends on your computer's time zone.
Cold Storage

Click Export Raw Logs to download the raw log files in ZIP format. See Raw Log Data for more information. By default, cold storage A secure long-term log retention mechanism. By default, AT&T Cybersecurity stores all data associated with a customer’s subdomain in cold storage for the life of the active USM Anywhere subscription at no additional charge. is unlimited for USM Anywhere customers within their service terms, but unlimited for AT&T Threat Detection and Response for Government (AT&T TDR for Gov) customers for three years. Keep in mind these points:

  • You can export raw logs for a 31-day month, but you are limited to a 30-day span if the range exceeds a single month.
  • The start time is 00:00:00 on the start date selected, and the end time is 23:59:59 on the end date selected. So if you select from 1/1/2020 to 2/1/2020, the logs start at 00:00:00 1/1/2020 and end at 23:59:59 2/1/2020.
Email Email address associated with your license.
MSSP Status Indicates whether the USM Anywhere deployment Entire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment. has been successfully connected to a USM Central or not. See Connecting a USM Anywhere to a USM Central for more information.
MSSP Service Name of the connected USM Central deployment.
Historical Data Consumption A list of data consumption by month. Click Download CSV for downloading a file with this information.
Top Data Sources Displays a list of the top data sources. Click Download CSV for downloading a file with this information.
Top Event Names List of the top event names related to their data source. Click Download CSV for downloading a file with this information.
Top Reporting Devices List of top reporting devices. Click Download CSV for downloading a file with this information.

Raw Log Data

Raw log data is data that has been forwarded through your sensors. USM Anywhere stores this data and enables you to extract raw log data for audit purposes or further forensic analysis.

Important: AT&T Cybersecurity recommends that you download the raw log data on a monthly basis.

When requesting raw log files, the date range cannot exceed 30 days. To download more than 30 days' worth of data, you must make multiple requests. Refrain from making all requests at the same time, which may tie up your USM Anywhere instance. You can make 2 or 3 requests, wait for the emails to arrive, and then make your next requests.

To extract raw log data

  1. Go to Settings > My Subscription.
  2. Click Export Raw Logs inside License Information.

    My Subscription Main Page, License Information Section

    The Export Raw Log Files dialog box opens.

    My Subscription Main Page, Export Raw Log Files dialog box

  3. Select a date range to download the raw log files in ZIP format.

    Note: The date range cannot exceed 30 days.

  4. Click Request Download.

    The Log Files Requested dialog box opens to inform you that your request is being processed. This process can take up to 24 hours.

    Log Files Requested dialog box

    Important: The beginning date can't be earlier than your first day of storage.

  5. Click OK.
  6. You will receive an email with a link to your file.

  7. Click the link in the email to download the ZIP file.
  8. Extract the zipped bundle, and you see the files listed as forensics-YYYY-MM-DD.hh.log.gz, where YYYY-MM-DD.hh refers to the date and hour.

Email Notifications Concerning Your License

USM Anywhere sends the following notification Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. emails to the email address associated with your license. Typically, this is the email address used to register the trial or your subscription:

  • A license is changed from trial to subscription.
  • A license tier is upgraded.
  • A license expiration date is updated.
  • The number of sensors allowed is updated.
  • An activated license has expired.
  • An activated license is deleted.