Role Availability
Manager
Your environment has a limited data consumption allotment that depends on your subscription tier. Exceeding your allotted data consumption tier may result in temporary limitations to your product performance or available features while you make necessary changes to your USM Anywhere configuration to reduce your data consumption to a pace that is appropriate to your tier.
AT&T Cybersecurity strives to guarantee that no data is lost, even when you're facing inadequate storage space or processing power. Because of this, USM Anywhere always makes data storage a top priority. When you exceed your data tier, or are projected to far exceed your tier, your system tries to store as much data as possible, even if functionality must be reduced to preserve the data. For instance, if you find that you are over your data tier, you may find that your USM Anywhere has transitioned into one of four possible data consumption tiers. In these tiers, your USM Anywhere may experience some small limitations to its functionality, such as paused correlation, asset counters, and more. All functionality is restored once your USM Anywhere is no longer experiencing resource limitations.
Important: Tier options do not have unlimited processing power, memory allotment, or disk input/output (I/O) speeds. In addition to storage per month, your deployment size's impact on any of these factors will influence which tier option is right for your environment. AT&T Cybersecurity recommends pre-deployment sizing discussions with your sales representative to help select the right tier for you.
Note: If the events per second (EPS) threatens to impact your sensor's capacity, USM Anywhere may engage EPS Adaptive Response. EPS Adaptive Response enables your system to take more time to process events coming in by throttling your EPS, which keeps your system running without risking event loss. See Protecting Your Sensor's Performance with EPS Adaptive Response to read more about EPS Adaptive Response.
USM Anywhere sends an email to warn you that it has reached your data consumption tier. The account receiving this email is the one associated with your license.
In addition to the email, there are two types of in-product alerts designed to ensure that you are aware of your environment's data consumption status. All users will see these product alerts in your environment.
When you log in to your environment, if your data consumption status is anything other than healthy you will be greeted with a dialog box informing you that your consumption allotment has been exceeded and informing you of the reductions in performance (if any) that are tied to your current data consumption status. This dialog box also contains some recommended next steps to help you improve your system's data consumption.
Once you have logged into USM Anywhere, if your consumption status is anything other than healthy you will continue to see a small banner across the top of your user interface (UI).
To refrain from reaching your monthly limit, AT&T Cybersecurity recommends that you create filtering rules to restrict data collection.
Onboarding Mode
During the first 30 days of activation for a new deployment, your subscription enters Onboarding Mode. While in Onboarding mode, there will be no restrictions to your features or product performance no matter your data consumption.
Onboarding Mode is also activated during the first 30 days after upgrading your license. This provides a grace period during which you can adjust your data consumption without violating your tier's data allowance.
After 30 days, your environment will transition out of Onboarding Mode and operate according to your subscription tier.
Healthy Consumption Status
When your environment is operating normally and consuming data at a rate that is within the parameters of your subscription tier, your data consumption is considered healthy.
Projected to Exceed Data Consumption Tier
If your environment is going to exceed your data consumption tier, a yellow announcement displays in your USM Anywhere to warn you about it. All users can see this yellow announcement in your environment, and you can close it by clicking the 
icon in the upper-right side of the page.
USM Anywhere sends three emails four days apart to warn you that you are going to reach your data consumption tier. USM Anywhere sends these emails to the address assigned to the license.
Important: By closing the announcement, you acknowledge that a manager user is aware that the license is reaching its threshold for the current month.
Besides the yellow announcement, a dialog box opens if your environment is going to exceed your data consumption tier each time you log in to USM Anywhere.
Caution Mode
As soon as your environment has consumed more data than is allotted by your subscription tier, your subscription enters Caution Mode. An environment whose subscription is in Caution Mode operates normally. While there is no direct change to your USM Anywhere features or performance, you will be notified that your consumption status has changed.
If your environment remains in Caution Mode for three consecutive months, you will be automatically transitioned into Warning Mode.
Warning Mode
Once your data consumption has exceeded 125% of your tier's data allowance, or if your subscription has been in Caution Mode for more than three consecutive months, your subscription enters Warning Mode. An environment in Warning Mode will operate normally, except that no new sensors or integrations can be set up or configured while in this mode.
If your environment remains in Warning Mode for two consecutive months, you will be automatically transitioned into Violation Mode.
Violation Mode
If your data consumption exceeds 150% of your tier's data allowance, or if your subscription has been in Warning Mode for two consecutive months, your subscription enters Violation Mode. In Violation Mode, no new sensors or integrations can be configured, and the product enters a "transient mode", where searches are limited to the most recent 24 hours for events, alarms, and vulnerabilities.
When running in transient mode, USM Anywhere no longer stores events in the hot storage or searchable data store, but will still generate alarms Alarms provide notification of an event or sequence of events that require attention or investigation., run authenticated asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. scans, and store raw logs associated with events in cold storage. This transient mode ends when you start a new month (based on your anniversary start date) or if you upgrade your subscription tier. If your environment has exceeded your data consumption tier, a red announcement displays in your USM Anywhere to warn you about it.
Recovery Mode
While your environment is in Caution, Warning, or Violation Mode, you can request to enter Recovery Mode. In Recovery Mode, your environment will operate with no restrictions, and USM Anywhere will re-evaluate your environment's projected monthly data consumption over a period of 24 hours. If your projected monthly data consumption reassessment is under the threshold for your subscription tier, your environment will remain in Recovery Mode.
Note: You can request your consumption be re-evaluated in Recovery Mode up to *three times a month.
If your projected data consumption is still above the tier threshold after the 24-hour reassessment, your environment will transition out of Recovery Mode and into the mode appropriate to your new projected data consumption.
Note: Please contact the AT&T Cybersecurity Sales department if you need to upgrade your subscription tier or modify your license.
Feedback