Your environment has a limited data consumption tier depending on your subscription tier.
Important: Tier options do not have unlimited processing power, memory allotment, or disk input/output (I/O) speeds. In addition to storage per month, your deployment size's impact on any of these factors will influence which tier option is right for your environment. AT&T Cybersecurity recommends pre-deployment sizing discussions with your sales representative to help select the right tier for you.
Note: If the events per second (EPS) threatens to impact your sensor's capacity. USM Anywhere may engage EPS Adaptive Response. EPS Adaptive Response enables your system to take more time to process events coming in by throttling your EPS, which keeps your system running without risking event loss. See Protecting Your Sensor's Performance with EPS Adaptive Response to read more about EPS Adaptive Response.
If your environment is going to exceed your data consumption tier, a yellow announcement displays in your USM Anywhere to warn you about it. All users can see this yellow announcement in your environment, and you can close it by clicking the icon in the upper-right side of the page.
USM Anywhere sends three emails four days apart to warn you that you are going to reach your data consumption tier. USM Anywhere sends these emails to the address assigned to the license.
Important: By closing the announcement, you acknowledge that a manager user is aware that the license is reaching its threshold for the current month.
Besides the yellow announcement, a dialog box opens if your environment is going to exceed your data consumption tier each time you log in to USM Anywhere.
If your environment has exceeded your data consumption tier, your USM Anywhere starts operating in transient mode. When running in transient mode, USM Anywhere no longer stores events in the hot storage or searchable data store, but will still generate alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., run authenticated assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. scans, and store raw logs associated with events in cold storage. This transient mode ends when you start a new month (based on your anniversary start date) or if you upgrade your subscription tier. If your environment has exceeded your data consumption tier, a red announcement displays in your USM Anywhere to warn you about it. All users can see this red announcement in your environment, and you can't close it.
USM Anywhere sends an email to warn you that it has reached your data consumption tier. The account receiving this kind of email is the one associated with your license.
Besides the red announcement, a dialog box opens if your environment has exceeded your data consumption tier each time you log in to USM Anywhere.
Note: Please contact the AT&T Cybersecurity Sales department if you need to upgrade your subscription tier or modify your license.
To refrain from reaching your monthly limit, AT&T Cybersecurity recommends that you create filtering rules to restrict data collection. If you've reached the monthly limit, you can purge your earliest seven days of data from the current month through the My Subscription page. This can be done twice a month. The button to purge data will only be active after you have reached your limit and your system is operating in transient mode. If you purge data to go back under your data limit, the transient mode will end as of the date that you enacted the purge. The purge won't retroactively remove transient mode for the days that the limit had been exceeded.
To purge seven days of event data
- Go to Settings > My Subscription.
Click Purge 7 Days of Event Data.
The purge event data dialog box opens.
- Click Purge.
Note: The 7 days of event data refer to the first 7 days of the current month. If you choose to purge again in the same month, then the second 7 days will be purged (the 8th of the month through the 14th).