Views:

Gmail (Inline Mode) - Service Account Provisioning

Cloud App Security provisions a service account to obtain an access token to get user/group/domain information and add/update a group used for holding the Cloud App Security policy targets.

 

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security does not protect your service any more.

Data collected
  • Domain, user and group information in Google Workspace
  • Gmail mailbox information
  • Root Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Gmail (Inline Mode)

    Module state

De-provision:

  • Administration > Service Account > Remove

Back to top

Gmail (Inline Mode) Quarantine

Cloud App Security will quarantine email messages in its storage after inbound/outbound messages trigger quarantine actions.

 

These quarantine items will be kept for 30 days in Cloud App Security before they get automatically deleted

After data is deleted, the administrator cannot restore or download the messages through Cloud App Security.

Data collected
  • Quarantine email messages
  • Email senders
  • Email recipients
  • Email subjects
  • Email sent time
  • Internet Message IDs
  • Attachment names
  • User principal names
  • Suspicious URLs
Console Settings

Enable:

  • Advance Threat Protection/Data Loss Prevention > Gmail (Inline Mode) policies > For each filter, select action "Quarantine"

De-provision:

  • Advance Threat Protection/Data Loss Prevention > Gmail (Inline Mode) policies > For each filter, deselect action "Quarantine"

Back to top

Exchange Online (Inline Mode) Service Account Provisioning

Cloud App Security provisions a service account to obtain an access token to get inbound/outbound email messages through Exchange Online connectors and transport rules, and scan the messages before they arrive at the inboxes of protected users or are sent out by protected users.

 

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security does not protect your service any more.

Data collected
  • Domain, user and group information in Microsoft Azure Active Directory
  • Exchange Online mailbox information
  • MX records
  • Global Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Exchange Online (Inline Mode)

    Teams Chat Service Account Provisioning

De-provision:

  • Administration > Service Account > Remove

Back to top

Exchange Online (Inline Mode) Quarantine

Cloud App Security will quarantine email messages in its storage after inbound/outbound messages trigger quarantine actions.

 

These quarantined items will be kept for 30 days in Cloud App Security before they get automatically deleted.

After data is deleted, the administrator cannot restore or download the messages through Cloud App Security.

Data collected
  • Quarantined inbound/outbound email messages
  • Email senders
  • Email recipients
  • Email subjects
  • Email sent time
  • Internet Message IDs
  • Attachment names
  • User principal names
  • Suspicious URLs
Console Settings

Enable:

  • Advanced Threat Protection/Data Loss Prevention > Exchange Online (Inline Mode) Policies > For each filter, select action "Quarantine"

Disable:

  • Advanced Threat Protection/Data Loss Prevention > Exchange Online (Inline Mode) Policies > For each filter, deselect action "Quarantine"

Back to top

Internal User Risk Analytics

Cloud App Security provisions a service account to obtain an access token to get risk detection data from Microsoft Identity Protection. The data is aggregated by Cloud App Security to show in the Internal User Risk Analytics widgets.

 

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security doesn’t collect risk detections.

All collected risk detections will be deleted after 60 days.

Data collected
  • Risk detection data: user’s display name, user’s principal name, risk event type, risk level, risk category, risk detected date and time
  • Global Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Microsoft Information Protection

    Teams Chat Service Account Provisioning

De-provision:

  • Administration > Service Account > Remove

Back to top

Reports

 

Data will be automatically deleted one month after the grace period of your license expires.

Data collected
  • Company Name
  • Company logo
  • Notification recipient's email address
Console SettingsReports:
  • Report Format

    Reports Format

  • Notification

    Notification

Back to top

Retro Scan and Auto Remediate in Web Reputation

Cloud App Security collects metadata of email messages for Retro Scan and Auto Remediate to detect unidentified risks or restore false positive emails.

 

Email metadata will not be collected if the authentication token is deleted from the Cloud App Security management console and Retro scan is disabled from enabled policies

All collected metadata will be deleted after 90 days.

Data collected
  • Email senders
  • Email recipients
  • Email subjects
  • Email headers: In-Reply-To, Return Path, Authentication-Results
  • Unique email IDs
  • Email received time
  • URLs in emails
  • Mailboxes
  • Attachments name
  • IP addresses of upstream MTAs
Console Settings

Enable:

  • ATP Policy > Web Reputation > Rules > Retro Scan and Auto Remediate > Select Rescan historical URLs when patterns update and take remedial actions

Disable:

  • ATP Policy > Web Reputation > Retro Scan and Auto Remediate > Deselect Rescan historical URLs when patterns update and take remedial actions

Back to top

Time-of-Click Protection in Web Reputation

Cloud App Security collects metadata of email messages for Time-of-Click Protection to obtain information about emails containing the clicked URLs.

 

Email metadata will not be collected if the authentication token is deleted from the Cloud App Security management console and Time-of-Click is disabled from enabled policies

All collected metadata will be deleted after 90 days.

Data collected
  • Email senders
  • Email recipients
  • Email subjects
  • Email headers: In-Reply-To, Return Path, Authentication-Results
  • Unique email IDs
  • Email received time
  • URLs in emails
  • Mailboxes
  • Attachments name
  • IP addresses of upstream MTAs
Console Settings

Enable:

  • ATP Policy > Web Reputation > Time-of-Click Protection > Select Enable Time-of-Click Protection

Disable:

  • ATP Policy > Web Reputation > Time-of-Click Protection > Deselect Enable Time-of-Click Protection

Back to top

Retro Scan and Auto Remediate in Advanced Spam Protection

Cloud App Security collects metadata of email messages for Retro Scan and Auto Remediate to detect unidentified risks or restore false positive emails.

 

Email metadata will not be collected if the authentication token is deleted from the Cloud App Security management console and Retro scan is disabled from enabled policies.

All collected metadata will be deleted after 180 days.

Data collected
  • Email senders
  • Email recipients
  • Email subjects
  • Email headers: In-Reply-To, Return Path, Authentication-Results
  • Unique email IDs
  • Email received time
  • URLs in emails
  • Mailboxes
  • Attachments name
  • IP addresses of upstream MTAs
Console Settings

Enable:

  • ATP Policy > Advanced Spam Protection > Rules > Retro Scan and Auto Remediate > Select Rescan historical mail metaemail messages and take remediation actions

Disable:

  • ATP Policy > Advanced Spam Protection > Rules > Retro Scan and Autom Remediate > Deselect Rescan historical email messages and take remediation actions

Back to top

Microsoft Information Protection Service Account Provisioning

Cloud App Security provisions a service account to integrate with the Microsoft Information Protection service and obtains an access token to support the “add sensitivity label” and “remove sensitivity label” actions for detected documents in SharePoint/OneDrive/Teams.

 

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security does not support the sensitivity label related actions

Data collected
  • SharePoint admin site URL
  • Sensitivity labels
  • Global Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Microsoft Information Protection

    Teams Chat Service Account Provisioning

De-provision:

  • Administration > Service Account > Remove

Back to top

Teams Chat Service Account Provisioning

Cloud App Security provisions a service account to integrate with the Microsoft Teams Chat service and obtains an access token to scan contents and files sent in private chats with other users.

 

Cloud App Security provisions a service account to integrate with the Microsoft Teams Chat service and obtains an access token to scan contents and files sent in private chats with other users.

After data is deleted, Cloud App Security does not protect your service any more.

Data collected
  • Domain, user, and group information in Windows Azure Active Directory
  • Global Administrator email address used to do the provisioning
  • Customer registered app ID
  • Customer registered app secret
Console Settings
  • Provision:

    Administration > Service Account > Add > Teams Chat

    Teams Chat Service Account Provisioning

  • De-provision:

    Administration > Service Account > Remove

Back to top

Salesforce Sandbox / Production Service Account Provisioning

Cloud App Security provisions a service account to integrate with the Salesforce Sandbox, and obtains an access token to access and protect users’ object information stored in Salesforce sandbox from threats.

 
Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security does not protect your service any more.

Data collected

Information about Packaged, Standard and Custom objects, including:

  • User profiles
  • User
  • Community
  • Chatter
  • Cases
  • Attachments
  • Other objects
Console Settings
  • Provision:

    Administration > Service Account > Add > Salesforce Sandbox

    Salesforce sandbox service account provisioning

  • De-provision:

    Administration > Service Account > Remove

Back to top

Email and Collaboration Sensor App in Trend Vision One

Cloud App Security collects metadata of email messages, user profiles, mailboxes, and account activities for Trend Vision One to discover anomalies for Email Account Inventory customers.

 
All collected metadata will be deleted after 180 days.
Data collected
  • Email received timestamps
  • Email attachment file names
  • Email attachment hash values
  • URLs in email messages
  • Mailbox accounts
  • Email stored folder names
  • Microsoft 365 mail internal IDs
  • Message UIDs
  • Email attachment true file types
  • Email HTML body tags
  • Email headers
  • Group mail info

If the admin grants permissions to collect user profiles, mailboxes, and account activities, the following data will also be collected:

  • Users profiles which include:

    display name, given name, surname, employee ID, company name, department name, job title, email address, business phone number, mobile phone number, fax number, office location, on-premises information, usage location, user principal name, Microsoft 365 service property, mailbox rule, last password change, user ID, IM address, Shared Object, manager account, other mail addresses, account enabled, nickname, high privileged account, calendar

  • User devices which include:

    on-premises sync enablement, OS information, OS version, device physical ID, device profile type, approximate last sign-in date and time, compliance expiration date and time, deletion date and time, device ID, device metadata, device version, device name, on-premises last sync date and time

  • User roles which include:

    administrator role ID, administrator role description, administrator role display name

  • Sign-in activities which include:

    client IP, directory audits, country, app name, longitude, latitude, User Agent, sign in IP address

Console Settings
  • Enable:

    In Trend Vision One console, set email sensor targets for Exchange Online or Gmail in the Email and Collaboration Security app.

  • Disable:

    In Trend Vision One console, click the “Clear Inventory” button in the Email and Collaboration Security app.

Back to top

SharePoint Online/OneDrive for Business Service Account Provisioning with Access Token

Cloud App Security provisions a service account to integrate with the Microsoft SharePoint Online and OneDrive for Business services respectively, and obtains an access token to access and protect users’ files stored in SharePoint Online /OneDrive for Business from threats.

 
Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud App Security does not protect your service any more.
Data collected
  • Domain, user, and group information in Windows Azure Active Directory
  • SharePoint Online site collection information
  • OneDrive for Business user and user site information
  • Global Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > SharePoint Online or OneDrive for Business

Gmail

De-provision:

  • Administration > Service Account > Remove

Back to top

Microsoft Teams Service Account Provisioning

Cloud App Security provisions a service account to integrate with the Microsoft Teams service and obtains an access token to protect users’ files stored in teams from threats.

 
Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud App Security does not protect your service any more.
Data collected
  • SharePoint Teams information
  • Global Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Microsoft Teams

Gmail

De-provision:

  • Administration > Service Account > Remove

Back to top

Exchange Online Service Account Provisioning with Access Token

Cloud App Security provisions a service account to integrate with the Exchange Online service and obtains an access token to protect users’ email messages from threats.

 
Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud App Security does not protect your service any more.
Data collected
  • Domain, user, and group information in Windows Azure Active Directory
  • Exchange Online mailbox information
  • Global Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Exchange Online

Gmail

De-provision:

  • Administration > Service Account > Remove

Back to top

Gmail Service Account Provisioning

Cloud App Security provisions service accounts to integrate with Gmail services and obtains access tokens to protect users’ email messages from threats.

 
Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud App Security does not protect your service any more.
Data collected
  • Domain information
  • Mailbox information
  • Group information
  • Administrator email address used to do the provisioning
Console Settings

Provision:

  • Administration > Service Account > Add > Gmail

Gmail

De-provision:

  • Administration > Service Account > Remove

Back to top

Threat Investigation API

Cloud App Security collects metadata of email messages for the Threat Investigation API to sweep for required email information.

 
Email metadata will not be collected if the authentication token is removed from the Cloud App Security management console.

All collected metadata will be removed after 180 days.

Data collected
  • Email senders
  • Email recipients
  • Email subjects
  • Email headers: In-Reply-To, Return Path, Authentication-Results
  • Unique email IDs
  • Email received time
  • URLs in emails
  • Mailboxes
  • Attachments name
  • IP addresses of upstream MTAs
Console Settings
  • Enable:

    Administration > Automation and Integration APIs > Add > For External Application OR For Trend Micro Service/Product > Select Email message for the API type Threat Investigation

    Module state

  • Disable:

    Administration > Automation and Integration APIs > Select tokens whose API type is “Threat Investigation” > Delete

Back to top

Writing style analysis for BEC

Cloud App Security collects email messages sent by high profile users to train their writing style models if writing style analysis is enabled. All email content is irreversibly hashed.

 

Email messages will not be collected for continuous model training if writing style analysis is disabled.

Data will be automatically deleted one month after the grace period of your license expires.

Data collected
  • Email senders
  • Email subjects
  • Email content
Console Settings
  • ATP Policy > Advanced Spam Protection > Writing Style Analysis for BEC

    Module state

  • Administration > Global Settings > High Profile Users

    Module state

Back to top

O365 (Exchange Online, SharePoint Online, OneDrive for Business) Provisioning

Cloud App Security provisions service accounts to integrate with Microsoft Office 365 services, and accesses Office 365 data with the service accounts to protect users’ email messages and files from network threats.

 
Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud App Security does not protect your service any more.
Data collected
  • Domain, user, and group information in Windows Azure Active Directory
  • Exchange Online mailbox information
  • SharePoint Online site collection information
  • OneDrive for Business user and user site information
Console Settings

Provision:

  • Administration > Service Account > Add > Office 365

Service Account

 
When your license for Cloud App Security is valid, contact Trend Micro Technical Support to submit a request for de-provisioning. After de-provisioning is completed, data is deleted.

Back to top

Cloud storage service (Box, Dropbox, Google Drive) Provisioning

Cloud App Security provisions service accounts to integrate with cloud storage services and obtains access tokens to protect users’ files from network threats.

 
Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud App Security does not protect your service any more.
Data collected
  • Box user and group information
  • Dropbox user and group information
  • Google Drive user and organization unit information
  • Administrator email address used to do the provisioning
Console settings

Provision:

  • Administration > Service Account > Add > Box/Dropbox/Google Drive

Service Account

De-provision:

  • Administration > Service Account > Remove

Back to top

Logs

 

Logs cannot be disabled unless you choose to NOT use Cloud App Security.

After data is deleted, administrators cannot retrieve history data of user events and policy violations from Cloud App Security.

Data collected
  • Email senders
  • Email recipients
  • Email locations
  • Email subjects
  • Attachment names
  • Email sent time
  • Internet Message IDs
  • File modifiers
  • File locations
  • File names
  • Chat locations
  • Salesforce object locations
Console settings

Cloud App Security automatically deletes logs older than 180 days.

Module state

Back to top

Quarantine

Quarantine logs cannot be disabled unless you do not set Action to Quarantine in any Advanced Threat Protection or Data Loss Prevention policy or you do not enable Virtual Analyzer in any Advanced Threat Protection policy.

 

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, administrators cannot retrieve history data of user events and policy violations from Cloud App Security.

Data collected
  • Email senders
  • Email recipients
  • Email locations
  • Email subjects
  • Attachment names
  • File modifiers
  • File locations
  • File names
  • Salesforce object locations
Console settings

For Quarantine logs, Cloud App Security provides an option for administrators to choose to automatically delete them older than 30, 60, or 90 days.

Module state

Back to top

Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features.

 
Disabling Predictive Machine Learning prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud App Security to detect new, previously unidentified, or unknown threats.
Predictive Machine Learning
Data collected
  • Metadata of suspicious executable files and scripts in cloud storage services
  • Metadata of suspicious executable files and scripts in email attachments
Console locationATP policy > Malware Scanning > Rules
Console settings
  • Enable Predictive Machine Learning

    Module state

     

Back to top

Malware Scanning Feedback

Malware Scanning Feedback enables you to participate, share and leverage Trend Micro’s global database of threat related intelligence to rapidly identify and defend against potential threats within your unique network environment.

 
Disabling Malware Scanning Feedback prevents the mentioned data from being sent to Trend Micro, but affects the enhancement of Cloud App Security to rapidly identify and address new threats.
Malware Scanning Feedback
Data collected
  • Suspicious executable files and scripts in cloud storage services
  • Suspicious executable files and scripts in email attachments
Console locationATP policy > Malware Scanning > Rules > Predictive Machine Learning
Console settings
  • Allow Trend Micro to collect suspicious files to improve its detection capabilities

Module state

Back to top

Virtual Analyzer for files

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files. Sandbox images allow observation of file behavior in an environment that simulates endpoints on your network without any risk of compromising the network.

 
Disabling Virtual Analyzer prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud App Security to detect advanced malware in files.
Data collected
  • Suspicious executable files
  • Suspicious scripts
  • Suspicious documents with macro
  • Other suspicious files from Trend Micro virus scan engine
Console locationATP policy > Virtual Analyzer
Console settings
  • Enable Virtual Analyzer
  • Files

Module state

Back to top

Advanced Spam Protection

Cloud App Security uses Trend Micro Antispam Engine to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect Exchange Online users from BEC, ransomware, advanced phishing, and other high-profile attacks.

 
Disabling Advanced Spam Protection prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud App Security to detect BEC, phishing, ransomware, and other spam.
Advanced Spam Protection
Data collected
  • IP addresses of upstream MTAs
Console locationATP policy > Advanced Spam Protection
Console settings
  • Enable Advanced Spam Protection

Module state

Back to top

Advanced Spam Protection Feedback

Advanced Spam Protection feedback enables you to participate, share and leverage Trend Micro’s global database of threat related intelligence to rapidly identify and defend against potential threats within your unique network environment.

 
Disabling Advanced Spam Protection feedback prevents the mentioned data from being sent to Trend Micro, but affects the enhancement of Cloud App Security to rapidly identify and address new spam.
Advanced Spam Protection Feedback
Data collected
  • Email addresses
  • Email subjects
  • URLs in email body
Console locationATP policy > Advanced Spam Protection
Console settings
  • Allow Trend Micro to collect suspicious email information to improve its detection capabilities

Module state

Back to top

Web Reputation

Cloud App Security leverages Trend Micro Web Reputation Services to scan URLs contained in files, email bodies and attachments to detect malicious URLs based on their reputation scores.

 
Disabling Web Reputation prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud App Security to detect malicious URLs.
Data collected
  • URLs in email body
  • URLs in email attachments
  • URLs in files
Console locationATP policy > Web Reputation
Console settings
  • Enable Web Reputation

Module state

Back to top

Quarantined email preview

Cloud App Security will store the previewed part of the quarantine email message body in its storage after the messages trigger quarantine actions.

The previewed part will be kept for 180 days in Cloud App Security before they get automatically deleted.

After data is deleted, the administrator cannot preview the quarantined messages through Cloud App Security.

Data collected
  • Previewed part of quarantined email body
Console settings
  • Enable:

    Quarantine > Enable Email Preview > select “Enable Email Preview

  • Disable:

    Quarantine > Enable Email Preview > deselect “Enable Email Preview

Back to top

Cloud App Security Add-in -Manage Quarantine

Cloud App Security collects the listed information to enable end users to manage quarantined emails and add trusted senders.

 
Data will be automatically deleted one month after the grace period of your license expires.
Data collected
  • Email address
  • User OID
  • Email sender
Console settings
  • Enable:

    Administration > Add-in for Outlook > Quarantine Management Permissions > Status (ON)

    Administration > Add-in for Outlook > Quarantine Management Permissions > Select “Trust Sender

  • Disable:

    Administration > Add-in for Outlook > Quarantine Management Permissions > Status (OFF)

    Administration > Add-in for Outlook > Quarantine Management Permissions > Deselect “Trust Sender

Back to top

Cloud App Security Add-in - Report Email

Cloud App Security collects the listed information to enable end users to report emails.

 
Data will be automatically deleted one month after the grace period of your license expires.
Collected emails will be automatically deleted after 180 days.
Data collected
  • Email address
  • User OID
  • Email
Console settings
  • Enable:

    Administration > Add-in for Outlook > Email Reporting > Status (ON)

  • Disable:

    Administration > Add-in for Outlook > Email Reporting > Status (OFF)

Back to top

Exchange Online Protection Enhancement with Microsoft 365 Activity Data

 

Data will be automatically deleted one month after the grace period of your license expires.

Data collected
  • Internet message ID
  • Record type
  • Operation
  • Workload
  • Threats and detection technology
  • Verdict
  • Original delivery location
  • Latest delivery location
  • Policy
  • Policy action
  • Phishing confidence level
  • Detection method
  • Direction
  • Connector
  • Subject
  • Sender IP
  • Attachment data
  • Delivery action
  • Recipients
  • Creation time
  • Message time
  • Message date
  • P1 sender
  • P2 sender
  • Extended properties
  • Submission type
  • Submission state
  • Submission channel
  • Submission content type
  • Rescan result
Console Settings

Enable:

  • Dashboard banner > Grant permission

    Module state

Disable:

  • Administration > Service Account > Remove Microsoft 365 related accounts

Back to top

Correlated Intelligence

Cloud App Security collects suspicious emails for backend services, which will gather the emails' metadata (with Personal Identifiable Information removed) for further analysis.

 
The suspicious emails stored in Cloud App Security will be automatically deleted after one hour.
 
Data collected
  • Suspicious emails
Console Settings

Enable:

  • Advanced Threat Protection>Exchange Online policies > Enable Correlated Intelligence

Disable:

  • Advanced Threat Protection > Exchange Online policies > Disable Correlated Intelligence

Back to top

Data center location for CAS & XDR Data Lake

Country of PurchaseData Center Location
USA

CAS: West US, California

XDR Platform/Activity Data: East US, N. Virginia

EU

CAS: West Europe, Netherlands

XDR Platform/Activity Data: West Europe, Netherlands

Japan

CAS: Japan East, Tokyo

XDR Platform/Activity Data: Japan East, Tokyo

SG

CAS: Southeast Asia, Singapore

XDR Platform/Activity Data: Southeast Asia, Singapore

ANZ

CAS: Australia Central, Canberra

XDR Platform/Activity Data: East US, N. Virginia (*Australia Central - future site)

EU-UK

CAS: UK South, London

XDR Platform/Activity Data: West Europe, Netherlands

Canada

CAS: Canada Central, Toronto

XDR Platform/Activity Data: East US, N. Virginia

India

CAS: Central India, Pune

XDR Platform/Activity Data: Asia Pacific, Mumbai

Middle East (UAE)

CAS: Dubai / UAE North

XDR Platform/Activity Data: UAE / Middle East

Back to top