Data Collection Disclosure - Trend Micro Vision One

General Trend Micro Vision One Service

Data Collected	Email Phone number Contact names IP Address
Console Location	Data provided to Trend Micro during on-boarding process and during normal service delivery.
Console Settings	Account Management - Name and email required if additional accounts are created.

Configurable Additional Data Collection Using the Trend Micro Vision One Console

Description fields
Data Collected	Customer provided text
Console Location	Various locations throughout the Trend Micro Vision One product console Optional: Free-Form Text field for customer user to provide additional information at their discretion. Please do not enter any personal or sensitive information.

Share your Feedback
Data Collected	Customer provided text Optional- Customers may submit feature requests and ideas to the Trend Micro Vision One Product team. Please do not input any personal or sensitive information into the feedback form.
Console Location	[XDR Resource Center menu icon] > Share Your Feedback > Make a Suggestion
Console Settings	Make a Suggestion

Search App
Data Collected	Saved queries of search history, including: Names (user, domain, file, object) UserID Email addresses IP addresses Browsing history Command history Optional: User can save the search parameters for future queries.
Console Location

Trend Micro Vision One Terms of Service (Endpoint Basecamp)
Data Collected	Endpoint name IP address Mac address After customers agree to the Terms of Service, Privacy Notice and DataCollection Notice, the data collection can’t be disabled
Console Location	To enable: Trend Micro XDR Terms of Service > I agree to the Terms of Service, Privacy Notice, and Data Collection Notice > Get Started To disable: Open Task Scheduler on each endpoint and disable the "Trend Micro Endpoint Basecamp" scheduled task. Run Windows Task Scheduler > Click Task Scheduler Library > right-click Trend Micro Endpoint Basecamp > Disable

Email Inventory
Data Collected	Account name User display name Group name User membership Mailbox account Email address The data collection can't be disabled when customers use Email Inventory.
Console Location	To enable: Email Inventory > configure the following: Use the Exchange Web Service Managed API for quarantine management Use the Graph API to access all mailboxes Access the user profiles and mailboxes To disable: Click the Help icon > Contact Support, and open a support ticket.

Endpoint Inventory - Enable Trend Micro Vision One capabilities
Data Collected	Command line File name File owner File signer Host name IP address Process owner Registry data User name URL Windows event log
Console Location	To enable: Endpoint Inventory > Available endpoints tab > [select endpoint] > Enable To Disable: Endpoint Inventory > Reporting to XDR tab > [select endpoint] > Disable

Identity & Risk Insights

This data is needed to determine if a sign-on activity is suspicious and if the use of a cloud application is allowed.

Log Collection from Azure AD
Data Collected	Data transmitted relates to sign-on activities. User information userID userDisplayName userPrincipalName ipAddress location (city, state and country) mailAddress jobTitle department givenname surname mailNickname imAddresses lastPasswordChangeDateTime Groups application being used (appID, appDisplayName ,clientAppUsed) createdDateTime devicedetail (browser and OS) Sign in Logs location status conditionalAccessStatus correlationId riskState riskDetail riskLevelAggregated riskLevelDuringSignIn riskEventTypes resourceDisplayName resourceId
Console Location	Identity & Risk Insights App > Configure data source. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

This data is needed to determine if the use of a cloud application is allowed.

Log Collection from Splunk Enterprise
Data Collected	Data transmitted relates to an access to a URL (an event). Eventhour : the time the event happens. Src : IP address from where the event is initiated. Hostname : from where the event is initiated. Website : the URL Count : times of the access (aggregated) Username : user who initiates the event.
Console Location	Identity & Risk Insights App > Configure data source Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

The data is needed to determine if OneDrive account has potential risk.

OneDrive usage & activity data fields from Office 365
Data Collected	OneDrive Activity User Detail Report Refresh Date User Principal Name Is Deleted Deleted Date Last Activity Date Viewed Or Edited File Count Synced File Count Shared Internally File Count Shared Externally File Count Assigned Products Report Period OneDrive Usage Account Detail Report Refresh Date Site URL Owner Display Name Is Deleted Last Activity Date File Count Active File Count Storage Used (Byte) Storage Allocated (Byte) Owner Principal Name Report Period
Console Location	Cloud Visibility App > Data source configuration. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

The data is needed to determine if SharePoint account has potential risk.

SharePoint usage & activity data fields from Office 365
Data Collected	SharePoint Activity User Detail Report Refresh Date User Principal Name Is Deleted Deleted Date Last Activity Date Viewed Or Edited File Count Synced File Count Shared Internally File Count Shared Externally File Count Visited Page Count Assigned Products Report Period SharePoint Site Usage Account Detail Report Refresh Date Site Id Site URL Owner Display Name Is Deleted Last Activity Date File Count Active File Count Page View Count Visited Page Count Storage Used (Byte) Storage Allocated (Byte) Root Web Template Owner Principal Name Report Period SharePoint Activity File Counts Report Refresh Date Viewed Or Edited Synced Shared Internally Shared Externally Report Date Report Period
Console Location	Cloud Visibility App > Data source configuration. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

The data is needed to determine if Outlook account has potential risk.

Outlook usage & activity data fields from Office 365
Data Collected	Email App Usage User Detail Report Refresh Date User Principal Name Display Name Is Deleted Deleted Date Last Activity Date Mail For Mac Outlook For Mac Outlook For Windows Outlook For Mobile Other For Mobile Outlook For Web POP3 App IMAP4 App SMTP App Report Period Mailbox Usage Detail Report Refresh Date User Principal Name Display Name Is Deleted Deleted Date Created Date Last Activity Date Item Count Storage Used (Byte) Issue Warning Quota (Byte) Prohibit Send Quota (Byte) Prohibit Send/Receive Quota (Byte) Deleted Item Count Deleted Item Size (Byte) Report Period Email Activity User Detail Report Refresh Date User Principal Name Display Name Is Deleted Deleted Date Last Activity Date Send Count Receive Count Read Count Assigned Products Report Period
Console Location	Cloud Visibility App > Data source configuration. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

The data is needed to determine if Teams account has potential risk.

Teams activity data fields from Office 365
Data Collected	Teams User Activity User Detail Report Refresh Date User Principal Name Last Activity Date Is Deleted Deleted Date Assigned Products Team Chat Message Count Private Chat Message Count Call Count Meeting Count Has Other Action Report Period
Console Location	Cloud Visibility App > Data source configuration. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

This data is needed to determine if O365 account has been compromised.

O365 (Exchange Online, SharePoint Online, OneDrive for Business) Risk Insights
Data Collected	File name File SHA1 File MD5 User principal name SharePoint/OneDrive folder path URL File upload time File type
Console Location	Identity & Risk Insights App > Data source configuration. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

This data is needed to determine if the use of cloud service is allowed.

Web Gateway Risk Insights
Data Collected	User name URL accessed Department Device name User principal name AD domain Browsing time
Console Location	Identity & Risk Insights App > Data source configuration. Contact Trend Micro Technical Support to turn off data transmission in order to prevent collecting logs in the future.

Service Gateway

Service Gateway Inventory
Data Collected	Hostname IP address Service URL DISK usage CPU usage Memory usage Network throughput IP address/Hostname of connected devices
Console Location	Inventory Management > Service Gateway Inventory > Disconnect
Console Settings	Disconnect

Smart Protection Services
Data Collected	URL File path IP address
Console Location	Inventory Management > Service Gateway Inventory > Configure
Console Settings

Third Party Integration, Active Update and Program update
Data Collected	IP address
Console Location	Inventory Management > Service Gateway Inventory > Configure
Console Settings

Trend Micro Vision One Data Center Locations

Country of Purchase	USA	EU	Japan	SG	ANZ	EU - UK	Canada
Data Center Location for Azure *Future Site for new Customers	East US – N. Virginia	West Europe-Netherlands	Tokyo, Japan	Singapore	East US – N. Virginia *Canberra, Australia	West Europe-Netherlands	East US – N. Virginia
Data Center Location for AWS *Future Site for new Customers	East US – N. Virginia	Frankfurt, Germany	Tokyo, Japan	Singapore	East US – N. Virginia *Sydney, Australia	Frankfurt, Germany	East US – N. Virginia

Need More Help?

Trend Micro Vision One Data Collection Notice

General Trend Micro Vision One Service

Configurable Additional Data Collection Using the Trend Micro Vision One Console

Identity & Risk Insights

Service Gateway

Trend Micro Vision One Data Center Locations