Views:

Account Enrollment

You supply this information when registering for a Workload Security account. Trend Micro uses this data for analytics and insight into Workload Security registration.

Workload Security uses Marketo for trial engagement and marketing-related activities. This form is designed to allow a minimum set of information so that customers can choose to limit information provided at registration time.

Console settings
Data collected	Name Email address Phone number(s) Country
Console location	Registration information is provided by the customer during the registration process. A minimum amount of information is required to ensure we can contact the account owner for support and maintenance of the service.

User Access

This section is about the user access of Workload Security, which also covers optional email notification and reports. You can add users to your Workload Security account. The information for those additional users is transmitted to Trend Micro.

You can choose to enter a minimum amount of information about the users. You can also remove users, but those users will no longer be able to access the Workload Security console or receive email notifications.

Data collected	User's name Email address Phone number(s)
Console location	Administration > User Management
Console settings	Users ^{Click the image to enlarge.} Contacts ^{Click the image to enlarge.}

User Authentication

When you enroll for a Workload Security account or add a new user to your account, you must supply a password. Passwords are transmitted to Trend Micro over HTTPS and stored as an unrecoverable salted hash.

Every user must have a password. You can remove users, but those users will no longer be able to access the Workload Security console.

User Authentication (Set Password)
Data collected	Passwords
Console location	Administration > User Management > Users > Properties
Console settings	Set Password ^{Click the image to enlarge.}

User Authentication (Contact Properties)
Data collected	Passwords
Console location	Administration > User Management > Contacts
Console settings	Properties ^{Click the image to enlarge.}

General Product Operation

When a security event occurs, information about the event is transferred to Trend Micro.

Workload Security, by design, does not collect personal information.

Depending on the nature of the protected environment and the object that is the target of the security event (for example, files, memory, network traffic) there is a risk that personal information may be collected within a security event. Security policy configuration and module selection are provided to meet the requirements of your target environment and minimize this risk.

The default event retention period for Workload Security is 32 days.

General Product Operation (Modules)
Data collected	Security event information: Intrusion prevention packet URL reputation Firewall packet Log entry Malware file IP addresses
Console location	Computer or Policy editor > Select module (e.g. Anti-Malware, Web Reputation, etc)
Console settings	State: Off or Inherited (Off) ^{Click the image to enlarge.}

General Product Operation (Event Forwarding)
Data collected	Security event information: Intrusion prevention packet URL reputation Firewall packet Log entry Malware file IP addresses
Console location	Administration > System Settings > Event Forwarding
Console settings	Forward System Events to a remote computer (via Syslog) using configuration Publish Events to AWS Simple Notification Service ^{Click the image to enlarge.}

General Product Operation (Logging and Monitoring)
Data collected	Data from AWS ELB and other logs, including: Names Email addresses Session IDs IP addresses CloudWatch logs Server0 entries HTTP traffic
Console location	This information is stored in the Workload Security SIEM and is used for troubleshooting, monitoring, and overall protection of the system. It cannot be configured or disabled by customer.
Console settings

Email

Workload Security transmits reports, alerts, and registration confirmation to its email server when sending this information to customers.

Email Configuration (Users)
Data collected	Reports Alerts Registration confirmation
Console location	Administration > User Management > Users > Properties > Contact Information
Console settings	Receive Alert Emails ^{Click the image to enlarge.}

Email Configuration (Contacts)
Data collected	Reports Alerts Registration confirmation
Console location	Administration > User Management > Contacts
Console settings	Email Address ^{Click the image to enlarge.} This contact information will show up when configuring Scheduled Reports under Generate Reports. ^{Click the image to enlarge.}

Support Requests

When you submit a support request, this information is sent to Salesforce.

Data collected	Account ID Tenant ID Name Account Name Company Country Email address Phone number Description of support request
Console location	Support > Contact Support
Console settings	Create Case ^{Click the image to enlarge.}

Firewall Events

Users can determine whether the agent captures and sends user names as part of Firewall events.

Data collected	User name
Console location	Administration > System Settings > Agents
Console settings	Allow user name capture in network events ^{Click the image to enlarge.}

Intrusion Prevention and Firewall

You can optionally configure Workload Security to use a Whois service to look up which domain name is associated with an IP address when you review logged intrusion prevention and firewall events. The IP address is sent directly to the Whois service and not to Trend Micro.

Data collected	IP addresses
Console location	Administration > System Settings > Advanced
Console settings	Whois URL ^{Click the image to enlarge.}

Anti-Malware: Smart Protection

Smart Protection Server for File Reputation Service is used by the anti-malware module. It supplies file reputation information required by Smart Scan. Alternatively, you can use a locally installed Smart Protection Server.

Data collected	Product information Client device OS Malicious or suspicious file information Suspicious file signatures Malicious or suspicious process information
Console location	Computer or Policy editor > Anti-Malware > Smart Protection
Console settings	Connect directly to Global Smart Protection Service ^{Click the image to enlarge.}

Anti-Malware: Process Memory Scan

Process Memory Scan connects to the Good File Reputation Service. This information enables Workload Security to identify good file hashes.

Data collected	File hashes (SHA1)
Console location	Policies > Common Object > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings	Scan process memory for malware ^{Click the image to enlarge.}

Anti-Malware: Predictive Machine Learning

Predictive Machine Learning enables identification of potential malicious files.

Data collected	File name Path Signer Hashes (SHA1)
Console location	Policies > Common Objects > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings	Enable Predictive Machine Learning ^{Click the image to enlarge.}

Anti-Malware: Smart Scan

This information is sent when a file scan occurs and enables Workload Security to identify malicious file hashes.

Data collected	File hashes (CRC)
Console location	Computer or policy editor > Anti-Malware > Smart Protection > Smart Scan
Console settings	Untick Inherited check box (if it's selected) and select Off. ^{Click the image to enlarge.}

Anti-Malware: Behavior Monitoring

The behavior monitoring feature communicates with the Global Census Server and Good File Reputation Service. This enables Workload Security to identify good file hashes and to retrieve statistical data.

Data collected	File hashes (SHA1)
Console location	Policies > Common Objects > Other > Malware Scan Configuration > Real-Time Scan configuration > General
Console settings	Detect suspicious activity and unauthorized changes (incl. ransomware) Back up and restore ransomware-encrypted files ^{Click the image to enlarge.}

Integrity Monitoring

You can configure Workload Security to automatically tag integrity monitoring events. If you select the Certified Safe Software Service option, information is sent to the Trend Micro Certified Safe Software service. Alternatively, you can select one of the other options when configuring auto tagging, or don’t enable auto-tagging.

Data collected	File hashes (SHA1) and additional information
Console location	Events and Reports > Integrity Monitoring Events > Auto-Tagging > New Trusted Source
Console settings	Certified Safe Software Service ^{Click the image to enlarge.}

Web Reputation

The web reputation module uses the Trend Micro Smart Protection Network to determine whether URLs are malicious. When Connect directly to Global Smart Protection Service is selected, URLs are sent to Trend Micro. Alternatively, you can opt to use a locally installed Smart Protection Server. You must select one of these options to use the web reputation module. If you don’t want to use either of those options, go to the General tab and change the Web Reputation State to Off to disable the web reputation module.

Data collected	URL
Console location	Computer or Policy editor > Web Reputation > Smart Protection
Console settings	Connect directly to Global Smart Protection Service ^{Click the image to enlarge.}

Smart Feedback

Smart Feedback enables you to participate, share, and leverage Trend Micro’s global database of threat-related intelligence to rapidly identify and defend against potential threats within your unique network environment.

Smart Feedback is enabled by default for new customers.

Data collected	Hostname IP address Endpoint IP URL Filename/Path Suspicious executables and partial file content Industry Country
Console location	Administration > System Settings > Smart Feedback
Console settings	To disable Trend Micro Smart Feedback, uncheck the Enable Trend Micro Smart Feedback checkbox. ^{Click the image to enlarge.}

Anti-Malware: Identified (Quarantined) Files

An identified file is a file that has been found to be or to contain malware and has therefore been encrypted and moved to a special folder on the protected computer. Identified files are not sent to Workload Security unless you specifically download them using the actions described below.

Data collected	Files that have been identified as potential malware
Console location	Events & Reports > Events > Anti-Malware Events > Identified Files
Console settings	The file is sent to Workload Security only if you select it and click Download.

Activity Monitoring

Activity Monitoring is a protection policy that enables security activity to be sent to Trend Micro XDR, providing effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

Activity Monitoring data is only sent to Trend Micro if the server has the Activity Monitoring policy assigned and state of the policy is On.

Data collected	Tenant GUID Account name Protection module events: Anti-Malware Web Reputation Integrity Monitoring Log Inspection Intrusion Prevention Process activity File activity Network activity Registry activity (Windows only) Connection activity Domain query activity User account activity (Windows only) Modified process activity Memory activity Behavior Monitoring Activity
Console location	Computer or Policy editor > Activity Monitoring > General > Activity Monitoring State: On
Console settings	^{Click the image to enlarge.}

Data Center Gateway Registration

When you register a new Data Center Gateway on Workload Security, an identifiable name and optional description will be collected for future reference. The information that you provided may or may not refer to your data-center name or its location.

Data Center Gateway is required only for deployments that Add a VMware vCenter accounts to Cloud One Workload Security.

Data collected	Data Center Gateway Name Data Center Gateway Description
Console location	System Settings > Data Center Gateway > New
Console settings	^{Click the image to enlarge.}

VMware vCenter Registration

When you add a VMware vCenter account on Workload Security, the following data is stored and encrypted in order to synchronize the virtual machine data from vCenter servers.

Data collected	vCenter Server Address vCenter Server Port vCenter Credential
Console location	Computers > Add
Console settings	^{Click the image to enlarge.}

VMware vCenter Synchronization

Workload Security periodically synchronizes the virtual machine metadata from VMware vCenter via the Data Center Gateway. During this process the Data Center Gateway collects the following information for general product operation as well as analytics.

Data collected	For Data Center Gateways IP addresses Hostname For vCenter servers vCenter UUID (Moref) vCenter version vCenter build Custom fields For virtual machines Name Parent Hardware devices vApp Configs vmtool status IP address Network config Hostname Parent vApp Resource pool Runtime power state Runtime boot time Runtime suspend time Annotation Instance uuid Memory size in mb Number of cpu UUID Custom value For host systems (ESXI) Name Parent Network configuration Kernel module system Kernel module patch Hardware Summary Custom value For DataCenter Name Parent hostFolder vmFolder For vApp Folder Name Parent Parent folder For Compute Resource, Folder, Resource pool, Data store Name Parent
Console location	IP Address of the Data Center Gateway will not be displayed in the console or any customer facing location For the rest, will be shown in Computers page.
Console settings	^{Click the image to enlarge.} ^{Click the image to enlarge.} ^{Click the image to enlarge.} ^{Click the image to enlarge.}

BIF

This feature is used to calculate the installation base and system status of Workload Security.

Console settings
Data collected	Activation Code and GUID Product version Feature enabled status System status
Console location	This feature can be disabled. If you do not want this data to be collected, please go to System Settings > Advanced > Product Usage Data Collection and deselect Enable Product Usage Data Collection.

Anti-Malware Module: Agent Metrics Collection and Analytics Service

The Agent metrics are collected to understand how the agent is performing in a particular environment.

Based on the "Top N" data described below, Trend Micro can provide a suitable exclusion lists to mitigate possible performance issues.

Console settings
Data collected	Top N Scanned Files - File paths that are scanned the most Top N Busy Process - Process image paths that generate the most file/process/network events Top N Busy DirPath - Folder paths that generate the most file/process/network events Top N scanned process - Image path of running processes scanned by Workload Security
Console location	This is automatically collected via agent metrics and cannot be disabled.

Network Module: Agent Metrics Collection and Analytics Service

The Agent metrics are collected to understand how the agent is performing in a particular environment.

Based on the data collection below, Trend Micro can provide better Intrusion Prevention and Firewall support for the most popular connection invokers.

Console settings
Data collected	Process Command Line - command line that process used to set up the connection Process Executable Path - file path of the process that set up the connection Process Name - file name of the process that set up this connection
Console location	This is automatically collected via agent metrics and cannot be disabled.

Trend Vision One Integration

The XDR capabilities of Trend Micro Vision One applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

You can optionally configure Trend Micro Cloud One - Endpoint & Workload Security integration with Trend Vision One. This will send information from Endpoint & Workload Security to Trend Vision One where you can correlate threat information for all of your Trend Micro products.

Data collected	Forward security events to Trend Vision One Anti-Malware events Web Reputation events Integrity Monitoring events Log Inspection events Intrusion Prevention events Activity Monitoring events Device Control events Activity Monitoring Process activity File activity Network activity Connection activity Domain query activity Registry activity (Windows only) User account activity (Windows and macOS only)
Console location	Trend Micro Cloud One > Integrations > Trend Vision One™ Trend Vision One console > Service Management > Product Connector
Console settings	In the Trend Micro Cloud One console, connect to Trend Vision One by registering the Enrollment Token. In the Trend Vision One console, locate the Trend Micro Cloud One - Endpoint & Workload Security connectors and click Disconnect. After the connection is established, the data will be sent to Trend Vision One. Disabling this connection will result in no data being sent to Trend Vision One from Trend Micro Cloud One - Endpoint & Workload Security.

Active Directory Registration

Add an Active Directory connector in Workload Security to synchronize computer data from the domain. The data collected is encrypted and stored.

Data collected	Active Directory Server Address Active Directory Server Port The username and password of a domain user which used to fetch data from Active Directory Server
Console location	Computers > Add
Console settings	^{Click the image to enlarge.} ^{Click the image to enlarge.}

Active Directory Synchronization

Workload Security periodically synchronizes the computers' metadata from Active Directory via the Data Center Gateway. During this process, the Data Center Gateway collects the following information for general product operation and analytics.

Data collected	For Data Center Gateways IP addresses Hostname For Domain Controller DistinguishedName For Computers Name DistinguishedName Hardware devices IP address Network config Hostname Runtime power state Runtime boot time Runtime suspend time BIOS UUID Object GUID
Console location	The IP address of the Data Center Gateway will not be displayed in the console, or in any customer facing location. The rest of the collected data will be viewable from the Computers page.
Console settings	^{Click the image to enlarge.} ^{Click the image to enlarge.} ^{Click the image to enlarge.}

Keywords: data collection notice Workload Security, collected data by Workload Security, turn off data collection Workload Security, disable data gathering Workload Security

Trend Micro Cloud One™ – Workload Security Data Collection Notice

Product / Version includes:

Cloud One - Endpoint and Workload SecurityAll

Last updated: 2024/08/13

Solution ID: KA-0010653

Category: SPEC

Summary

The following sections outline the features that collect data, the data transmitted, and the locations on the product console where you can disable the features.

For accounts created via Cloud One, you may refer to the Trend Micro Cloud One Data Collection Notice.

     • Account Enrollment
     • User Access
     • User Authentication
     • General Product Operation
     • Email
     • Support Requests
     • Firewall Events
     • Intrusion Prevention and Firewall
     • Smart Protection
     • Process Memory Scan
     • Predictive Machine Learning
     • Smart Scan
     • Behavior Monitoring
     • Integrity Monitoring
     • Web Reputation
     • Smart Feedback
     • Anti-Malware: Identified (Quarantined) Files
     • Activity Monitoring
     • Data Center Gateway Registration
     • VMware vCenter Registration
     • VMware vCenter Synchronization
     • BIF
     • Anti-Malware Module: Agent Metrics Collection and Analytics Service
     • Network Module: Agent Metrics Collection and Analytics Service
     • Trend Micro Vision One Integration
     • Active Directory Registration
     • Active Directory Synchronization

To see where this data is processed, refer to our list of data centers and authorized data sub-processors and their locations.

All connections to the Trend Micro Smart Protection Network (SPN) include the Internet-facing source IP that originated the request to the Trend Micro servers, along with product type and version and operating system type and version. This data is collected in web server logs and Security Information and Event Management (SIEM) systems.

Account Enrollment

You supply this information when registering for a Workload Security account. Trend Micro uses this data for analytics and insight into Workload Security registration.

Console settings
Data collected	Name Email address Phone number(s) Country
Console location	Registration information is provided by the customer during the registration process. A minimum amount of information is required to ensure we can contact the account owner for support and maintenance of the service.

User Access

Data collected	User's name Email address Phone number(s)
Console location	Administration > User Management
Console settings	Users ^{Click the image to enlarge.} Contacts ^{Click the image to enlarge.}

User Authentication

Every user must have a password. You can remove users, but those users will no longer be able to access the Workload Security console.

User Authentication (Set Password)
Data collected	Passwords
Console location	Administration > User Management > Users > Properties
Console settings	Set Password ^{Click the image to enlarge.}

User Authentication (Contact Properties)
Data collected	Passwords
Console location	Administration > User Management > Contacts
Console settings	Properties ^{Click the image to enlarge.}

General Product Operation

When a security event occurs, information about the event is transferred to Trend Micro.

Workload Security, by design, does not collect personal information.

The default event retention period for Workload Security is 32 days.

General Product Operation (Modules)
Data collected	Security event information: Intrusion prevention packet URL reputation Firewall packet Log entry Malware file IP addresses
Console location	Computer or Policy editor > Select module (e.g. Anti-Malware, Web Reputation, etc)
Console settings	State: Off or Inherited (Off) ^{Click the image to enlarge.}

General Product Operation (Event Forwarding)
Data collected	Security event information: Intrusion prevention packet URL reputation Firewall packet Log entry Malware file IP addresses
Console location	Administration > System Settings > Event Forwarding
Console settings	Forward System Events to a remote computer (via Syslog) using configuration Publish Events to AWS Simple Notification Service ^{Click the image to enlarge.}

General Product Operation (Logging and Monitoring)
Data collected	Data from AWS ELB and other logs, including: Names Email addresses Session IDs IP addresses CloudWatch logs Server0 entries HTTP traffic
Console location	This information is stored in the Workload Security SIEM and is used for troubleshooting, monitoring, and overall protection of the system. It cannot be configured or disabled by customer.
Console settings

Email

Workload Security transmits reports, alerts, and registration confirmation to its email server when sending this information to customers.

Email Configuration (Users)
Data collected	Reports Alerts Registration confirmation
Console location	Administration > User Management > Users > Properties > Contact Information
Console settings	Receive Alert Emails ^{Click the image to enlarge.}

Email Configuration (Contacts)
Data collected	Reports Alerts Registration confirmation
Console location	Administration > User Management > Contacts
Console settings	Email Address ^{Click the image to enlarge.} This contact information will show up when configuring Scheduled Reports under Generate Reports. ^{Click the image to enlarge.}

Support Requests

When you submit a support request, this information is sent to Salesforce.

Data collected	Account ID Tenant ID Name Account Name Company Country Email address Phone number Description of support request
Console location	Support > Contact Support
Console settings	Create Case ^{Click the image to enlarge.}

Firewall Events

Users can determine whether the agent captures and sends user names as part of Firewall events.

Data collected	User name
Console location	Administration > System Settings > Agents
Console settings	Allow user name capture in network events ^{Click the image to enlarge.}

Intrusion Prevention and Firewall

Data collected	IP addresses
Console location	Administration > System Settings > Advanced
Console settings	Whois URL ^{Click the image to enlarge.}

Anti-Malware: Smart Protection

Data collected	Product information Client device OS Malicious or suspicious file information Suspicious file signatures Malicious or suspicious process information
Console location	Computer or Policy editor > Anti-Malware > Smart Protection
Console settings	Connect directly to Global Smart Protection Service ^{Click the image to enlarge.}

Anti-Malware: Process Memory Scan

Process Memory Scan connects to the Good File Reputation Service. This information enables Workload Security to identify good file hashes.

Data collected	File hashes (SHA1)
Console location	Policies > Common Object > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings	Scan process memory for malware ^{Click the image to enlarge.}

Anti-Malware: Predictive Machine Learning

Predictive Machine Learning enables identification of potential malicious files.

Data collected	File name Path Signer Hashes (SHA1)
Console location	Policies > Common Objects > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings	Enable Predictive Machine Learning ^{Click the image to enlarge.}

Anti-Malware: Smart Scan

This information is sent when a file scan occurs and enables Workload Security to identify malicious file hashes.

Data collected	File hashes (CRC)
Console location	Computer or policy editor > Anti-Malware > Smart Protection > Smart Scan
Console settings	Untick Inherited check box (if it's selected) and select Off. ^{Click the image to enlarge.}

Anti-Malware: Behavior Monitoring

Data collected	File hashes (SHA1)
Console location	Policies > Common Objects > Other > Malware Scan Configuration > Real-Time Scan configuration > General
Console settings	Detect suspicious activity and unauthorized changes (incl. ransomware) Back up and restore ransomware-encrypted files ^{Click the image to enlarge.}

Integrity Monitoring

Data collected	File hashes (SHA1) and additional information
Console location	Events and Reports > Integrity Monitoring Events > Auto-Tagging > New Trusted Source
Console settings	Certified Safe Software Service ^{Click the image to enlarge.}

Web Reputation

Data collected	URL
Console location	Computer or Policy editor > Web Reputation > Smart Protection
Console settings	Connect directly to Global Smart Protection Service ^{Click the image to enlarge.}

Smart Feedback

Smart Feedback is enabled by default for new customers.

Data collected	Hostname IP address Endpoint IP URL Filename/Path Suspicious executables and partial file content Industry Country
Console location	Administration > System Settings > Smart Feedback
Console settings	To disable Trend Micro Smart Feedback, uncheck the Enable Trend Micro Smart Feedback checkbox. ^{Click the image to enlarge.}

Anti-Malware: Identified (Quarantined) Files

Data collected	Files that have been identified as potential malware
Console location	Events & Reports > Events > Anti-Malware Events > Identified Files
Console settings	The file is sent to Workload Security only if you select it and click Download.

Activity Monitoring

Activity Monitoring data is only sent to Trend Micro if the server has the Activity Monitoring policy assigned and state of the policy is On.

Data collected	Tenant GUID Account name Protection module events: Anti-Malware Web Reputation Integrity Monitoring Log Inspection Intrusion Prevention Process activity File activity Network activity Registry activity (Windows only) Connection activity Domain query activity User account activity (Windows only) Modified process activity Memory activity Behavior Monitoring Activity
Console location	Computer or Policy editor > Activity Monitoring > General > Activity Monitoring State: On
Console settings	^{Click the image to enlarge.}

Data Center Gateway Registration

Data Center Gateway is required only for deployments that Add a VMware vCenter accounts to Cloud One Workload Security.

Data collected	Data Center Gateway Name Data Center Gateway Description
Console location	System Settings > Data Center Gateway > New
Console settings	^{Click the image to enlarge.}

VMware vCenter Registration

When you add a VMware vCenter account on Workload Security, the following data is stored and encrypted in order to synchronize the virtual machine data from vCenter servers.

Data collected	vCenter Server Address vCenter Server Port vCenter Credential
Console location	Computers > Add
Console settings	^{Click the image to enlarge.}

VMware vCenter Synchronization

Data collected	For Data Center Gateways IP addresses Hostname For vCenter servers vCenter UUID (Moref) vCenter version vCenter build Custom fields For virtual machines Name Parent Hardware devices vApp Configs vmtool status IP address Network config Hostname Parent vApp Resource pool Runtime power state Runtime boot time Runtime suspend time Annotation Instance uuid Memory size in mb Number of cpu UUID Custom value For host systems (ESXI) Name Parent Network configuration Kernel module system Kernel module patch Hardware Summary Custom value For DataCenter Name Parent hostFolder vmFolder For vApp Folder Name Parent Parent folder For Compute Resource, Folder, Resource pool, Data store Name Parent
Console location	IP Address of the Data Center Gateway will not be displayed in the console or any customer facing location For the rest, will be shown in Computers page.
Console settings	^{Click the image to enlarge.} ^{Click the image to enlarge.} ^{Click the image to enlarge.} ^{Click the image to enlarge.}

BIF

This feature is used to calculate the installation base and system status of Workload Security.

Console settings
Data collected	Activation Code and GUID Product version Feature enabled status System status
Console location	This feature can be disabled. If you do not want this data to be collected, please go to System Settings > Advanced > Product Usage Data Collection and deselect Enable Product Usage Data Collection.

Anti-Malware Module: Agent Metrics Collection and Analytics Service

The Agent metrics are collected to understand how the agent is performing in a particular environment.

Based on the "Top N" data described below, Trend Micro can provide a suitable exclusion lists to mitigate possible performance issues.

Console settings
Data collected	Top N Scanned Files - File paths that are scanned the most Top N Busy Process - Process image paths that generate the most file/process/network events Top N Busy DirPath - Folder paths that generate the most file/process/network events Top N scanned process - Image path of running processes scanned by Workload Security
Console location	This is automatically collected via agent metrics and cannot be disabled.

Network Module: Agent Metrics Collection and Analytics Service

The Agent metrics are collected to understand how the agent is performing in a particular environment.

Based on the data collection below, Trend Micro can provide better Intrusion Prevention and Firewall support for the most popular connection invokers.

Console settings
Data collected	Process Command Line - command line that process used to set up the connection Process Executable Path - file path of the process that set up the connection Process Name - file name of the process that set up this connection
Console location	This is automatically collected via agent metrics and cannot be disabled.

Trend Vision One Integration

Data collected	Forward security events to Trend Vision One Anti-Malware events Web Reputation events Integrity Monitoring events Log Inspection events Intrusion Prevention events Activity Monitoring events Device Control events Activity Monitoring Process activity File activity Network activity Connection activity Domain query activity Registry activity (Windows only) User account activity (Windows and macOS only)
Console location	Trend Micro Cloud One > Integrations > Trend Vision One™ Trend Vision One console > Service Management > Product Connector
Console settings	In the Trend Micro Cloud One console, connect to Trend Vision One by registering the Enrollment Token. In the Trend Vision One console, locate the Trend Micro Cloud One - Endpoint & Workload Security connectors and click Disconnect. After the connection is established, the data will be sent to Trend Vision One. Disabling this connection will result in no data being sent to Trend Vision One from Trend Micro Cloud One - Endpoint & Workload Security.

Active Directory Registration

Add an Active Directory connector in Workload Security to synchronize computer data from the domain. The data collected is encrypted and stored.

Data collected	Active Directory Server Address Active Directory Server Port The username and password of a domain user which used to fetch data from Active Directory Server
Console location	Computers > Add
Console settings	^{Click the image to enlarge.} ^{Click the image to enlarge.}

Active Directory Synchronization

Data collected	For Data Center Gateways IP addresses Hostname For Domain Controller DistinguishedName For Computers Name DistinguishedName Hardware devices IP address Network config Hostname Runtime power state Runtime boot time Runtime suspend time BIOS UUID Object GUID
Console location	The IP address of the Data Center Gateway will not be displayed in the console, or in any customer facing location. The rest of the collected data will be viewable from the Computers page.
Console settings	^{Click the image to enlarge.} ^{Click the image to enlarge.} ^{Click the image to enlarge.}

Was this article helpful?