Views:

Account Enrollment

You supply this information when registering for a Workload Security account. Trend Micro uses this data for analytics and insight into Workload Security registration.

Workload Security uses Marketo for trial engagement and marketing-related activities. This form is designed to allow a minimum set of information so that customers can choose to limit information provided at registration time.

Data collected
  • Name
  • Email address
  • Phone number(s)
  • Country
Console location Registration information is provided by the customer during the registration process. A minimum amount of information is required to ensure we can contact the account owner for support and maintenance of the service.
Console settings

Back to top

User Access

This section is about the user access of Workload Security, which also covers optional email notification and reports. You can add users to your Workload Security account. The information for those additional users is transmitted to Trend Micro.

You can choose to enter a minimum amount of information about the users. You can also remove users, but those users will no longer be able to access the Workload Security console or receive email notifications.

Data collected
  • User's name
  • Email address
  • Phone number(s)
Console location Administration > User Management
Console settings

Users

Users

Click the image to enlarge.

Contacts

Contacts

Click the image to enlarge.

Back to top

User Authentication

When you enroll for a Workload Security account or add a new user to your account, you must supply a password. Passwords are transmitted to Trend Micro over HTTPS and stored as an unrecoverable salted hash.

Every user must have a password. You can remove users, but those users will no longer be able to access the Workload Security console.

User Authentication (Set Password)
Data collected Passwords
Console location Administration > User Management > Users > Properties
Console settings

Set Password

Change Password

Click the image to enlarge.

User Authentication (Contact Properties)
Data collected Passwords
Console location Administration > User Management > Contacts
Console settings

Properties

Test User

Click the image to enlarge.

Back to top

General Product Operation

When a security event occurs, information about the event is transferred to Trend Micro.

Workload Security, by design, does not collect personal information.

Depending on the nature of the protected environment and the object that is the target of the security event (for example, files, memory, network traffic) there is a risk that personal information may be collected within a security event. Security policy configuration and module selection are provided to meet the requirements of your target environment and minimize this risk.

The default event retention period for Workload Security is 32 days.

General Product Operation (Modules)
Data collected

Security event information:

  • Intrusion prevention packet
  • URL reputation
  • Firewall packet
  • Log entry
  • Malware file
  • IP addresses
Console location Computer or Policy editor > Select module (e.g. Anti-Malware, Web Reputation, etc)
Console settings

State: Off or Inherited (Off)

General Product Operation

Click the image to enlarge.

General Product Operation (Event Forwarding)
Data collected

Security event information:

  • Intrusion prevention packet
  • URL reputation
  • Firewall packet
  • Log entry
  • Malware file
  • IP addresses
Console location Administration > System Settings > Event Forwarding
Console settings
  • Forward System Events to a remote computer (via Syslog) using configuration
  • Publish Events to AWS Simple Notification Service

System Events

Click the image to enlarge.

General Product Operation (Logging and Monitoring)
Data collected

Data from AWS ELB and other logs, including:

  • Names
  • Email addresses
  • Session IDs
  • IP addresses
  • CloudWatch logs
  • Server0 entries
  • HTTP traffic
Console location This information is stored in the Workload Security SIEM and is used for troubleshooting, monitoring, and overall protection of the system. It cannot be configured or disabled by customer.
Console settings

Back to top

Email

Workload Security transmits reports, alerts, and registration confirmation to its email server when sending this information to customers.

Email Configuration (Users)
Data collected
  • Reports
  • Alerts
  • Registration confirmation
Console location Administration > User Management > Users > Properties > Contact Information
Console settings

Receive Alert Emails

Receive Email

Click the image to enlarge.

Email Configuration (Contacts)
Data collected
  • Reports
  • Alerts
  • Registration confirmation
Console location Administration > User Management > Contacts
Console settings

Email Address

Email Address

Click the image to enlarge.

This contact information will show up when configuring Scheduled Reports under Generate Reports.

Task Wizard

Click the image to enlarge.

Back to top

Support Requests

When you submit a support request, this information is sent to Salesforce.

Data collected
  • Account ID
  • Tenant ID
  • Name
  • Account Name
  • Company
  • Country
  • Email address
  • Phone number
  • Description of support request
Console location Support > Contact Support
Console settings

Create Case

Support Center

Click the image to enlarge.

Back to top

Firewall Events

Users can determine whether the agent captures and sends user names as part of Firewall events.

Data collected
  • User name
Console location Administration > System Settings > Agents
Console settings

Allow user name capture in network events

Module state

Click the image to enlarge.

Back to top

Intrusion Prevention and Firewall

You can optionally configure Workload Security to use a Whois service to look up which domain name is associated with an IP address when you review logged intrusion prevention and firewall events. The IP address is sent directly to the Whois service and not to Trend Micro.

Data collected IP addresses
Console location Administration > System Settings > Advanced
Console settings

Whois URL

Whois URL

Click the image to enlarge.

Back to top

Anti-Malware: Smart Protection

Smart Protection Server for File Reputation Service is used by the anti-malware module. It supplies file reputation information required by Smart Scan. Alternatively, you can use a locally installed Smart Protection Server.

Data collected
  • Product information
  • Client device OS
  • Malicious or suspicious file information
  • Suspicious file signatures
  • Malicious or suspicious process information
Console location Computer or Policy editor > Anti-Malware > Smart Protection
Console settings

Connect directly to Global Smart Protection Service

Connect Global Smart Protection

Click the image to enlarge.

Back to top

Anti-Malware: Process Memory Scan

Process Memory Scan connects to the Good File Reputation Service. This information enables Workload Security to identify good file hashes.

Data collected File hashes (SHA1)
Console location Policies > Common Object > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings

Scan process memory for malware

Scan Process Memory

Click the image to enlarge.

Back to top

Anti-Malware: Predictive Machine Learning

Predictive Machine Learning enables identification of potential malicious files.

Data collected
  • File name
  • Path
  • Signer
  • Hashes (SHA1)
Console location Policies > Common Objects > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings

Enable Predictive Machine Learning

Enable Predictive Machine Learning

Click the image to enlarge.

Back to top

Anti-Malware: Smart Scan

This information is sent when a file scan occurs and enables Workload Security to identify malicious file hashes.

Data collected File hashes (CRC)
Console location Computer or policy editor > Anti-Malware > Smart Protection > Smart Scan
Console settings

Untick Inherited check box (if it's selected) and select Off.

Smart Scan

Click the image to enlarge.

Back to top

Anti-Malware: Behavior Monitoring

The behavior monitoring feature communicates with the Global Census Server and Good File Reputation Service. This enables Workload Security to identify good file hashes and to retrieve statistical data.

Data collected File hashes (SHA1)
Console location Policies > Common Objects > Other > Malware Scan Configuration > Real-Time Scan configuration > General
Console settings
  • Detect suspicious activity and unauthorized changes (incl. ransomware)
  • Back up and restore ransomware-encrypted files

Behavior Monitoring

Click the image to enlarge.

Back to top

Integrity Monitoring

You can configure Workload Security to automatically tag integrity monitoring events. If you select the Certified Safe Software Service option, information is sent to the Trend Micro Certified Safe Software service. Alternatively, you can select one of the other options when configuring auto tagging, or don’t enable auto-tagging.

Data collected File hashes (SHA1) and additional information
Console location Events and Reports > Integrity Monitoring Events > Auto-Tagging > New Trusted Source
Console settings

Certified Safe Software Service

Certified Safe Software

Click the image to enlarge.

Back to top

Web Reputation

The web reputation module uses the Trend Micro Smart Protection Network to determine whether URLs are malicious. When Connect directly to Global Smart Protection Service is selected, URLs are sent to Trend Micro. Alternatively, you can opt to use a locally installed Smart Protection Server. You must select one of these options to use the web reputation module. If you don’t want to use either of those options, go to the General tab and change the Web Reputation State to Off to disable the web reputation module.

Data collected URL
Console location Computer or Policy editor > Web Reputation > Smart Protection
Console settings

Connect directly to Global Smart Protection Service

Web Reputation Service

Click the image to enlarge.

Back to top

Smart Feedback

Smart Feedback enables you to participate, share, and leverage Trend Micro’s global database of threat-related intelligence to rapidly identify and defend against potential threats within your unique network environment.

 
Smart Feedback is enabled by default for new customers.
 
Data collected
  • Hostname
  • IP address
  • Endpoint IP
  • URL
  • Filename/Path
  • Suspicious executables and partial file content
  • Industry
  • Country
Console location Administration > System Settings > Smart Feedback
Console settings

To disable Trend Micro Smart Feedback, uncheck the Enable Trend Micro Smart Feedback checkbox.

DCN Smart Feedback WS

Click the image to enlarge.

Back to top

Anti-Malware: Identified (Quarantined) Files

An identified file is a file that has been found to be or to contain malware and has therefore been encrypted and moved to a special folder on the protected computer. Identified files are not sent to Workload Security  unless you specifically download them using the actions described below.

Data collected Files that have been identified as potential malware
Console location Events & Reports > Events > Anti-Malware Events > Identified Files
Console settings The file is sent to Workload Security only if you select it and click Download.

Back to top

Activity Monitoring

Activity Monitoring is a protection policy that enables security activity to be sent to Trend Micro XDR, providing effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

 
Activity Monitoring data is only sent to Trend Micro if the server has the Activity Monitoring policy assigned and state of the policy is On.
 
Data collected
  • Tenant GUID
  • Account name
  • Protection module events:
    • Anti-Malware
    • Web Reputation
    • Integrity Monitoring
    • Log Inspection
    • Intrusion Prevention
  • Process activity
  • File activity
  • Network activity
  • Registry activity (Windows only)
  • Connection activity
  • Domain query activity
  • User account activity (Windows only)
  • Modified process activity
  • Memory activity
  • Behavior Monitoring Activity
Console location Computer or Policy editor > Activity Monitoring > General > Activity Monitoring State: On
Console settings

Activity Sensor

Click the image to enlarge.

Back to top

Data Center Gateway Registration

When you register a new Data Center Gateway on Workload Security, an identifiable name and optional description will be collected for future reference. The information that you provided may or may not refer to your data-center name or its location.

 
Data Center Gateway is required only for deployments that Add a VMware vCenter accounts to Cloud One Workload Security.
 
Data collected
  • Data Center Gateway Name
  • Data Center Gateway Description
Console location System Settings > Data Center Gateway > New
Console settings

New

Click the image to enlarge.

Back to top

VMware vCenter Registration

When you add a VMware vCenter account on Workload Security, the following data is stored and encrypted in order to synchronize the virtual machine data from vCenter servers.

Data collected
  • vCenter Server Address
  • vCenter Server Port
  • vCenter Credential
Console location Computers > Add
Console settings

Wizard

Click the image to enlarge.

Back to top

VMware vCenter Synchronization

Workload Security periodically synchronizes the virtual machine metadata from VMware vCenter via the Data Center Gateway.  During this process the Data Center Gateway collects the following information for general product operation as well as analytics.

Data collected
  • For Data Center Gateways

    • IP addresses
    • Hostname
  • For vCenter servers

    • vCenter UUID (Moref)
    • vCenter version
    • vCenter build
    • Custom fields
  • For virtual machines

    • Name
    • Parent
    • Hardware devices
    • vApp Configs
    • vmtool status
    • IP address
    • Network config
    • Hostname
    • Parent vApp
    • Resource pool
    • Runtime power state
    • Runtime boot time
    • Runtime suspend time
    • Annotation
    • Instance uuid
    • Memory size in mb
    • Number of cpu
    • UUID
    • Custom value
  • For host systems (ESXI)

    • Name
    • Parent
    • Network configuration
    • Kernel module system
    • Kernel module patch
    • Hardware
    • Summary
    • Custom value
  • For DataCenter

    • Name
    • Parent
    • hostFolder
    • vmFolder
  • For vApp Folder

    • Name
    • Parent
    • Parent folder
  • For Compute Resource, Folder, Resource pool, Data store

    • Name
    • Parent
Console location IP Address of the Data Center Gateway will not be displayed in the console or any customer facing location For the rest, will be shown in Computers page.
Console settings

1104241-Updating-the-VeriSign-DigiCert-USERTrust-RSA-certificate-on-Deep-Security-and-Cloud-One-Workload-Security?language

Click the image to enlarge.

Cluster

Click the image to enlarge.

General

Click the image to enlarge.

General 2

Click the image to enlarge.

Back to top

BIF

This feature is used to calculate the installation base and system status of Workload Security.

Data collected
  • Activation Code and GUID
  • Product version
  • Feature enabled status
  • System status
Console location This feature can be disabled. If you do not want this data to be collected, please go to System Settings > Advanced > Product Usage Data Collection and deselect Enable Product Usage Data Collection.
Console settings

Back to top

Anti-Malware Module: Agent Metrics Collection and Analytics Service

The Agent metrics are collected to understand how the agent is performing in a particular environment.

Based on the "Top N" data described below, Trend Micro can provide a suitable exclusion lists to mitigate possible performance issues.

Data collected
  • Top N Scanned Files - File paths that are scanned the most
  • Top N Busy Process - Process image paths that generate the most file/process/network events
  • Top N Busy DirPath - Folder paths that generate the most file/process/network events
  • Top N scanned process - Image path of running processes scanned by Workload Security
Console location This is automatically collected via agent metrics and cannot be disabled.
Console settings

Back to top

Network Module: Agent Metrics Collection and Analytics Service

The Agent metrics are collected to understand how the agent is performing in a particular environment.

Based on the data collection below, Trend Micro can provide better Intrusion Prevention and Firewall support for the most popular connection invokers.

Data collected
  • Process Command Line - command line that process used to set up the connection
  • Process Executable Path - file path of the process that set up the connection
  • Process Name - file name of the process that set up this connection
Console location This is automatically collected via agent metrics and cannot be disabled.
Console settings

Back to top

Trend Vision One Integration

The XDR capabilities of Trend Micro Vision One applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

You can optionally configure Trend Micro Cloud One - Endpoint & Workload Security integration with Trend Vision One. This will send information from Endpoint & Workload Security to Trend Vision One where you can correlate threat information for all of your Trend Micro products.

Data collected

Forward security events to Trend Vision One

  • Anti-Malware events
  • Web Reputation events
  • Integrity Monitoring events
  • Log Inspection events
  • Intrusion Prevention events
  • Activity Monitoring events
  • Device Control events

Activity Monitoring

  • Process activity
  • File activity
  • Network activity
  • Connection activity
  • Domain query activity
  • Registry activity (Windows only)
  • User account activity (Windows and macOS only)
Console location
  • Trend Micro Cloud One > Integrations > Trend Vision One™
  • Trend Vision One console > Service Management > Product Connector
Console settings
  1. In the Trend Micro Cloud One console, connect to Trend Vision One by registering the Enrollment Token.

    Module state

  2. In the Trend Vision One console, locate the Trend Micro Cloud One - Endpoint & Workload Security connectors and click Disconnect.

    Module state

 
After the connection is established, the data will be sent to Trend Vision One.
Disabling this connection will result in no data being sent to Trend Vision One from Trend Micro Cloud One - Endpoint & Workload Security.
 

Back to top

Active Directory Registration

Add an Active Directory connector in Workload Security to synchronize computer data from the domain. The data collected is encrypted and stored.

Data collected
  • Active Directory Server Address
  • Active Directory Server Port
  • The username and password of a domain user which used to fetch data from Active Directory Server
Console location
  1. Computers > Add
Console settings

Add Directory

Click the image to enlarge.

Add Directory 2

Click the image to enlarge.

Back to top

Active Directory Synchronization

Workload Security periodically synchronizes the computers' metadata from Active Directory via the Data Center Gateway. During this process, the Data Center Gateway collects the following information for general product operation and analytics.

Data collected
  • For Data Center Gateways
    • IP addresses
    • Hostname
  • For Domain Controller
    • DistinguishedName
  • For Computers
    • Name
    • DistinguishedName
    • Hardware devices
    • IP address
    • Network config
    • Hostname
    • Runtime power state
    • Runtime boot time
    • Runtime suspend time
    • BIOS UUID
    • Object GUID
Console location
  1. The IP address of the Data Center Gateway will not be displayed in the console, or in any customer facing location. The rest of the collected data will be viewable from the Computers page.
Console settings

Directory

Click the image to enlarge.

Directory 2

Click the image to enlarge.

Click the image to enlarge.

Back to top