Data Collection Disclosure - Trend Micro Vision One

General Trend Micro Vision One Service

Data Collected	Email Phone number Contact names IP Address
Console Location	Data provided to Trend Micro during on-boarding process and during normal service delivery.
Console Settings	Account Management - Name and email required if additional accounts are created.

Configurable Additional Data Collection Using the Trend Micro Vision One Console

Description fields
Data Collected	Customer provided text
Console Location	Various locations throughout the Trend Micro Vision One product console Optional: Free-Form Text field for customer user to provide additional information at their discretion. Please do not enter any personal or sensitive information.

Share your Feedback
Data Collected	Customer provided text Optional- Customers may submit feature requests and ideas to the Trend Micro Vision One Product team. Please do not input any personal or sensitive information into the feedback form.
Console Location	[XDR Resource Center menu icon] > Share Your Feedback > Make a Suggestion
Console Settings	Make a Suggestion

Search App
Data Collected	Saved queries of search history, including: Names (user, domain, file, object) UserID Email addresses IP addresses Browsing history Command history Optional: User can save the search parameters for future queries.
Console Location

Trend Micro Vision One Terms of Service (Endpoint Basecamp)
Data Collected	Endpoint name IP address Mac address After customers agree to the Terms of Service, Privacy Notice and DataCollection Notice, the data collection can’t be disabled
Console Location	To enable: Trend Micro XDR Terms of Service > I agree to the Terms of Service, Privacy Notice, and Data Collection Notice > Get Started To disable: Open Task Scheduler on each endpoint and disable the "Trend Micro Endpoint Basecamp" scheduled task. Run Windows Task Scheduler > Click Task Scheduler Library > right-click Trend Micro Endpoint Basecamp > Disable

Email Inventory
Data Collected	Account name User display name Group name User membership Mailbox account Email address The data collection can't be disabled when customers use Email Inventory.
Console Location	To enable: Email Inventory > configure the following: Use the Exchange Web Service Managed API for quarantine management Use the Graph API to access all mailboxes Access the user profiles and mailboxes To disable: Click the Help icon > Contact Support, and open a support ticket.

Endpoint Inventory - Enable Trend Micro Vision One capabilities
Data Collected	Command line File name File owner File signer Host name IP address Process owner Registry data User name URL Windows event log
Console Location	To enable: Endpoint Inventory > Available endpoints tab > [select endpoint] > Enable To Disable: Endpoint Inventory > Reporting to XDR tab > [select endpoint] > Disable

The user ID and user account are used for user behavior tracking and auditing. The company ID identifies which company this customer belongs to.

Endpoint Security Settings
Data Collected	User ID User Account Company ID
Console Location	Security Settings > Endpoint
Console Settings	Endpoint

Zero Trust Risk Insights

This data is needed to determine if a sign-in activity is suspicious and if the use of cloud app is risky.

Data Source: Azure AD
Data Collected	Data transmitted relates to sign-on activities. User information User ID User display name User principal name IP address Groups Location (city, state, country) Email address Job title Department Given name Surname Email nickname IM addresses Last password change datetime Application being used App ID App display name Client app used Sign in Logs Sign-in initiated time Device detail (Browser and OS) Location Status Conditional access status Correlation ID Risk state Risk detail Risk level aggregated Risk level during sign-in Risk event types Resource display name Resource ID
Console Location	Zero Trust Risk Insights App > Data source configuration > Azure AD > Data upload permission > Off

This data is needed to determine if activities on an endpoint are risky. This data is needed to determine if a device is vulnerable.

Data Source: Endpoint Sensor
Data Collected	Data transmitted relates to an access to a URL (an event). Endpoint name Logon user name User principal name Logon user domain IP addresses Suspicious file path Suspicious file name Suspicious file hash URL OS version Agent ID OS name Software name Software version File paths CVE ID CVE score
Console Location	Zero Trust Risk Insights App > Data source configuration > Endpoint sensor > Data upload permission > Off

Disabling the data source only prevents Zero Trust Risk Insights from accessing the data collected by Endpoint Sensors. To prevent Endpoint Sensor from collecting data, uninstall Endpoint Sensor from the endpoint.

This data is needed to determine if the use of cloud app is risky.

Data Source: 3rd party logs (Splunk Enterprise)
Data Collected	Data transmitted relates to URL access events. Event time Source IP address Host name: from where the event is initiated Website: the URL Count: aggregated times of the access User name: user who initiates the event
Console Location	Zero Trust Risk Insights App > Data source configuration > 3rd party logs > Data upload permission > Off

This data is needed to determine if activities on mobile device are risky.

Data Source: Mobile Sensor
Data Collected	Logon user name User principal name IP address App name App package name Device hostname Device OS URL
Console Location	Zero Trust Risk Insights App > Data source configuration > Mobile sensor > Data upload permission > Off Disabling the data source only prevents Zero Trust Risk Insights from accessing the data collected by Mobile Sensors. To prevent Mobile Sensor from collecting data, uninstall Mobile Sensor from the device.

This data is needed to determine if a sign-in activity is suspicious and if the use of cloud app is risky.

Data Source: Okta
Data Collected	Data transmitted relates to Okta sign-in activities. User information User ID User display name User principal name Location (country, state, city) Job title Email address User type Company name Department Given name Surname Nickname Group Second email address Account create datetime Last password change datetime Sign-in logs Sign-in event time User principal name Endpoint IP address Request URI Device OS Device browser User ID User display name Location (country, state, city, postcode, geolocation) Sign-in status
Console Location	Zero Trust Risk Insights App > Data source configuration > Okta > Data upload permission > Off

The data is needed to determine if Microsoft Office 365 account has potential risk.

Data Source: Office 365 > Data upload permission
Data Collected	OneDrive activity report Report refresh date User principal name Deleted Deleted date Last activity date Files viewed or edited (count) Files synced (count) Files shared internally (count) Files shared externally (count) Products assigned Report period OneDrive usage report Report refresh date Site URL Owner username Owner principal name Deleted Last activity date Files (count) Active files (count) Storage used (Byte) Storage allocated (Byte) Report period SharePoint activity report Report refresh date User principal name Deleted Deleted date Last activity date Files viewed or edited (count) Files synced (count) Files shared internally (count) Files shared externally (count) Pages visited (count) Products assigned Report period SharePoint site usage report Report refresh date Site ID Site URL Site owner username Site owner principal name Deleted Last activity date Files (count) Active files (count) Page views (count) Page visited (count) Storage used (Byte) Storage allocated (Byte) Root web template Report period Outlook email app usage report Report refresh date User principal name Display Name Deleted Deleted date Last activity date Outlook (Mac) Outlook (Windows) Outlook (Mobile) Mobile Outlook on the web POP3 app IMAP4 app SMTP app Report period Mailbox usage report Report refresh date User principal name Display name Deleted Deleted date Created date Last activity date Item count Storage used (Byte) Issue warning quota (Byte) Prohibit send quota (Byte) Prohibit send/receive quota (Byte) Deleted Item Count Deleted Item Size (Byte) Report period Email activity report Report refresh date User principal name Display name Deleted Deleted date Last activity date Send actions (count) Receive actions (count) Read actions (count) Products assigned Report period Microsoft Teams user activity report Report refresh date User principal name Last activity date Deleted Deleted date Products assigned Channel messages (count) Chat messages (count) 1:1 calls (count) Total meetings (count) Other activity Report period
Console Location	Zero Trust Risk Insights App > Data source configuration > Office 365 > Data upload permission > Off

This data is needed to determine if Microsoft Office 365 account has been compromised or has risky activities.

Data Source: Office 365 > Threat detection upload permission
Data Collected	File name File SHA1 File MD5 User principal name SharePoint/OneDrive file path URL File upload time File type Email meta information
Console Location	Zero Trust Risk Insights App > Data source configuration > Office 365 > Threat detection upload permission > Off

This data is needed to determine if the use of cloud app is risky.

Data Source: Web Sensor
Data Collected	Cloud app access logs User name URL accessed Department Device name User principal name AD domain Browsing time
Console Location	Zero Trust Risk Insights App > Data source configuration > Web sensor > Off

Sandbox Analysis App

Users can submit objects for analysis using the Trend Micro Vision One product console or public API.

Data Collected	Data transmitted relates to user submitted object. File Name File Content Archive file password File password Virtual Analyzer Report and Suspicious Objects from analysis result of integrated products, like Apex One, Cloud App Security, Deep Discovery Inspector and Service Gateway. The data collection cannot be disabled when the products are connected to Trend Micro Vision One.
Console Location	THREAT INTELLIGENCE > Sandbox Analysis > Submit Object

Service Gateway

Service Gateway Inventory
Description	When Service Gateway appliance is registered to Vision One / Service Gateway Inventory, it will provide the appliance related information back to Vision One. Customers can disconnect/delete this appliance to disable it via Vision One Service Gateway Inventory.
Data Collected	Hostname IP address Service URL DISK usage CPU usage Memory usage Network throughput IP address/Hostname of connected devices
Console Location	Inventory Management > Service Gateway Inventory > Disconnect
Console Settings	Disconnect

Smart Protection Services
Description	The SPS service running at Service Gateway appliance will carry URL, File path or IP address information back to SPN service when point products do SPN query to Service Gateway appliance. Customers can disable this service via Vision One Service Gateway Inventory to disable this behavior.
Data Collected	URL File path IP address
Console Location	Inventory Management > Service Gateway Inventory > Configure
Console Settings

Active Update and Program update
Description	The Active Update service running at Service Gateway appliance will carry IP address information of appliance back to Vision One, same for Auto Update feature. Customers can disable this service and disable the Automatic Update feature via Vision One Service Gateway Inventory to disable this behavior.
Data Collected	IP address
Console Location	Inventory Management > Service Gateway Inventory > Configure
Console Settings

Third Party Integration, Suspicious Object List Synchronization
Description	The Third Party Integration & Suspicious Object List Synchronization service running at Service Gateway appliance will carry IP address, Suspicious Objects and Virtual Analyzer Report back to SPN service when point products do Suspicious Object Sync with Service Gateway appliance. Customer can disable both services via Vision One Service Gateway Inventory to disable this behavior.
Data Collected	IP address Suspicious Objects Virtual Analyzer Report
Console Location	Inventory Management > Service Gateway Inventory > Configure
Console Settings

Trend Micro Vision One Data Center Locations

Country of Purchase	Data Center Location for Azure ^{Future Site for new Customers}*	Data Center Location for AWS ^{Future Site for new Customers}*
USA	East US – N. Virginia	East US – N. Virginia
EU	West Europe-Netherlands	Frankfurt, Germany
Japan	Tokyo, Japan	Tokyo, Japan
SG	Singapore	Singapore
ANZ	East US – N. Virginia *Canberra, Australia	East US – N. Virginia *Sydney, Australia
EU - UK	West Europe-Netherlands	Frankfurt, Germany
Canada	East US – N. Virginia	East US – N. Virginia
India	Mumbai	Mumbai

Zero Trust Secure Access

Zero Trust Secure Access includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

Permission control
Description	Permission control allows the admin to control network access to corporate applications by authorized users/devices. To prevent Trend Micro Vision One from collecting data, stop using Zero Trust Network Access.
Data Collected	IP address OS type User Principle Name HTTP URL
Console Location	Zero Trust Secure Access > Secure Access Rules > Permission Control ^{Click the image to enlarge.}

Access Control History
Description	Access Control History allows the admin to view user activity logs generated by permission control. To prevent Trend Micro Vision One from collecting data, stop using Zero Trust Security Access.
Data Collected	IP address OS type OS version User Principle Name HTTP URL Hostname User agent
Console Location	Zero Trust Secure Access > Access Control History > Action count ^{Click the image to enlarge.}

Need More Help?