AlienVault® USM Anywhere™

Subscription Management

Once you have a USM Anywhere license you can always view your subscriptions in one place. Use the My Subscriptions page to access your license information, eventAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. data, raw log data, and connect to a USM CentralA federation console that enables centralized security monitoring for multiple AlienVault USM Anywhere and AlienVault USM Appliance deployments. instance.

To open the My Subscription page

  1. Go to Settings > My Subscription to open the page.
    Information on the My Subscription page
    Field Description
    License Type Trial or Subscription.
    License End Date Trial Expiration date (Trial Licenses) or Support End Date (Subscription Licenses). The displayed date depends on your computer's time zone.
    Service Tier Storage per month (250 GB per month, 500 GB per month, 1 TB per month, 1.5 TB per month, 2 TB per month, 3 TB per month, 4 TB per month).
    Licensed Sensors Number of licensed sensorsSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation..
    Active Sensors Number of active sensors.
    Months of cold storage for raw logs 12 months of cold storage by default.
    Total Data Consumed Amount of data USM Anywhere has processed on a monthly basis.
    Remaining Data Available Amount of remaining data you have available for this month.
    Projected Data Consumption Amount of data already stored for the month plus calculated data storage needs for the rest of the month.
    Historical Data Consumption List of data consumption by month.
    Total Event Data Amount total of data USM Anywhere has processed.
    View Data Consumption by Data Source

    Link that opens a popup window to display the data consumption by data source. The displayed information shows raw data collected from each source. It does not represent the fully enriched and correlated data that is sent to USM Anywhere.

    You can filter the information by date.

    Total Days of Storage Capability

    Total days of storage capacity available.

    First Day of Data Storage First day on which data started to be stored.
    Connection to USM Central Displays if the deploymentEntire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment. has been connected to a USM Central or not. See Connecting a USM Anywhere to a USM Central for more information.

Raw Log Data

Raw Log Data is data that has been forwarded through your sensors. USM Anywhere stores this data and enables you to extract Raw Log Data for audit purposes or further forensic analysis.

To extract Raw Log Data

  1. Go to Settings > My Subscription.
  2. Click Request Raw Log Files.
  3. My Subscription Main Page, Raw Log Data Section

    The Export Raw Log Files popup window displays.

  4. Select a date range to download the raw log files in zip format.
  5. Click Request Download.
  6. Export Raw Log Files popup window

    A popup window informs you that your request is being processed and it is in progress. Keep in mind this process can take up to six hours.

  7. Click OK.
  8. In a few minutes you will receive an email with a link to download your files (zip file).

  9. Click the link you have in the email to download the zip file.
  10. Extract the zipped bundle and you see the files listed as forensics.log.YYYY-MM-DD.bz2.

Reaching the Monthly Usage Limit Space

If your environment has exceeded your data consumption tier, your USM Anywhere starts operating in transient mode. When running in transient mode, USM Anywhere no longer stores events in the searchable data store, but will still generate alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., run authenticated assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. scans, and store raw logs associated with Events in cold storage. This transient mode finishes when you start a new month (based on your anniversary start date) or if you upgrade your subscription tier.

Note: Please contact the AlienVault Sales department to upgrade your subscription tier and modify your license.

Through the My Subscription page you can purge your earliest seven days of data from the current month. This can be done twice a month. Keep in mind that the button that enables you to purge the data will only be active after you hit your limit and your system is operating in a transient mode. If you purge data to go back under your data limit, the transient mode will end as of the date that the purge was enacted. The purge will not retroactively remove transient mode for the days that the limit had been exceeded.

Note: USM Anywhere will display an early and persistent warning to inform you that you are going to exceed your monthly tiered usage.

To purge seven days of event data

  1. Go to Settings > My Subscription.
  2. Click Purge 7 Days of Event Data.
  3. Note: The 7 days of event data refer to the first seven days of the current month. If you choose to purge again in the same month, then the second seven days will be purged (the 8th of the month through the 14th).

Receiving Email Notifications Concerning my License

USM Anywhere sends the following notificationCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. emails to the email address associated with your license. Typically, this is the email address used to register the trial or your subscription:

  • A license is changed from trial to subscription.
  • A license tier is upgraded.
  • A license expiration date is updated.
  • The number of sensors allowed is updated.
  • An activated license has expired.
  • An activated license is deleted.