Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Trend Micro Vision One Data Collection Notice

    • Updated:
    • 28 Oct 2021
    • Product/Version:
    • Trend Micro Vision One
    • Trend Micro Vision One All
    • Platform:
Summary

The following sections outline the features that collect data, the data transmitted, and the locations on the related product consoles where you can disable the features.

To see where this data is processed, refer to our list of data centers and authorized data subprocessors and their locations.

Details
Public

General Trend Micro Vision One Service

Data Collected
  • Email
  • Phone number
  • Contact names
  • IP Address
Console LocationData provided to Trend Micro during on-boarding process and during normal service delivery.
Console SettingsAccount Management - Name and email required if additional accounts are created.

Configurable Additional Data Collection Using the Trend Micro Vision One Console

Description fields
Data CollectedCustomer provided text
Console LocationVarious locations throughout the Trend Micro Vision One product console

Optional: Free-Form Text field for customer user to provide additional information at their discretion. Please do not enter any personal or sensitive information.

Description fields

Share your Feedback
Data CollectedCustomer provided text

Optional- Customers may submit feature requests and ideas to the Trend Micro Vision One Product team. Please do not input any personal or sensitive information into the feedback form.

Console Location[XDR Resource Center menu icon] > Share Your Feedback > Make a Suggestion
Console Settings
  • Make a Suggestion

Feedback window

Search App
Data CollectedSaved queries of search history, including:
  • Names (user, domain, file, object)
  • UserID
  • Email addresses
  • IP addresses
  • Browsing history
  • Command history

Optional: User can save the search parameters for future queries.

Console Location

Saved Search Queries

Trend Micro Vision One Terms of Service (Endpoint Basecamp)
Data Collected
  • Endpoint name
  • IP address
  • Mac address

After customers agree to the Terms of Service, Privacy Notice and DataCollection Notice, the data collection can’t be disabled

Console Location

To enable: Trend Micro XDR Terms of Service > I agree to the Terms of Service, Privacy Notice, and Data Collection Notice > Get Started

XDR Terms of Service

To disable: Open Task Scheduler on each endpoint and disable the "Trend Micro Endpoint Basecamp" scheduled task.

Run Windows Task Scheduler > Click Task Scheduler Library > right-click Trend Micro Endpoint Basecamp > Disable

Task Scheduler

Email Inventory
Data Collected
  • Account name
  • User display name
  • Group name
  • User membership
  • Mailbox account
  • Email address

The data collection can't be disabled when customers use Email Inventory.

Console Location
  • To enable: Email Inventory > configure the following:
    • Use the Exchange Web Service Managed API for quarantine management
    • Use the Graph API to access all mailboxes
    • Access the user profiles and mailboxes
  • To disable: Click the Help icon > Contact Support, and open a support ticket.

    Contact Support

Endpoint Inventory - Enable Trend Micro Vision One capabilities
Data Collected
  • Command line
  • File name
  • File owner
  • File signer
  • Host name
  • IP address
  • Process owner
  • Registry data
  • User name
  • URL
  • Windows event log
Console Location
  • To enable: Endpoint Inventory > Available endpoints tab > [select endpoint] > Enable

    Endpoint Inventory

  • To Disable: Endpoint Inventory > Reporting to XDR tab > [select endpoint] > Disable

    Disable Enpoint Inventory

The user ID and user account are used for user behavior tracking and auditing. The company ID identifies which company this customer belongs to.

Endpoint Security Settings
Data Collected
  • User ID
  • User Account
  • Company ID
Console LocationSecurity Settings > Endpoint
Console Settings
  • Endpoint

Endpoint

Zero Trust Risk Insights

This data is needed to determine if a sign-in activity is suspicious and if the use of cloud app is risky.

Data Source: Azure AD
Data Collected

Data transmitted relates to sign-on activities.

  • User information

    • User ID
    • User display name
    • User principal name
    • IP address
    • Groups
    • Location (city, state, country)
    • Email address
    • Job title
    • Department
    • Given name
    • Surname
    • Email nickname
    • IM addresses
    • Last password change datetime
  • Application being used

    • App ID
    • App display name
    • Client app used
  • Sign in Logs

    • Sign-in initiated time
    • Device detail (Browser and OS)
    • Location
    • Status
    • Conditional access status
    • Correlation ID
    • Risk state
    • Risk detail
    • Risk level aggregated
    • Risk level during sign-in
    • Risk event types
    • Resource display name
    • Resource ID
Console LocationZero Trust Risk Insights App > Data source configuration > Azure AD > Data upload permission > Off

Azure AD

Azure AD

This data is needed to determine if activities on an endpoint are risky. This data is needed to determine if a device is vulnerable.

Data Source: Endpoint Sensor
Data Collected

Data transmitted relates to an access to a URL (an event).

  • Endpoint name
  • Logon user name
  • User principal name
  • Logon user domain
  • IP addresses
  • Suspicious file path
  • Suspicious file name
  • Suspicious file hash
  • URL
  • OS version
  • Agent ID
  • OS name
  • Software name
  • Software version
  • File paths
  • CVE ID
  • CVE score
Console LocationZero Trust Risk Insights App > Data source configuration > Endpoint sensor > Data upload permission > Off

Endpoint Sensor

Endpoint Sensor

 
Disabling the data source only prevents Zero Trust Risk Insights from accessing the data collected by Endpoint Sensors. To prevent Endpoint Sensor from collecting data, uninstall Endpoint Sensor from the endpoint.
 

This data is needed to determine if the use of cloud app is risky.

Data Source: 3rd party logs (Splunk Enterprise)
Data Collected

Data transmitted relates to URL access events.

  • Event time
  • Source IP address
  • Host name: from where the event is initiated
  • Website: the URL
  • Count: aggregated times of the access
  • User name: user who initiates the event
Console LocationZero Trust Risk Insights App > Data source configuration > 3rd party logs > Data upload permission > Off

 

3rd party - Splunk

3rd party - Splunk

This data is needed to determine if activities on mobile device are risky.

Data Source: Mobile Sensor
Data Collected
  • Logon user name
  • User principal name
  • IP address
  • App name
  • App package name
  • Device hostname
  • Device OS
  • URL
Console LocationZero Trust Risk Insights App > Data source configuration > Mobile sensor > Data upload permission > Off

 

Mobile Sensor

Mobile Sensor

 
Disabling the data source only prevents Zero Trust Risk Insights from accessing the data collected by Mobile Sensors. To prevent Mobile Sensor from collecting data, uninstall Mobile Sensor from the device.
 

This data is needed to determine if a sign-in activity is suspicious and if the use of cloud app is risky.

Data Source: Okta
Data Collected

Data transmitted relates to Okta sign-in activities.

  • User information

    • User ID
    • User display name
    • User principal name
    • Location (country, state, city)
    • Job title
    • Email address
    • User type
    • Company name
    • Department
    • Given name
    • Surname
    • Nickname
    • Group
    • Second email address
    • Account create datetime
    • Last password change datetime
  • Sign-in logs

    • Sign-in event time
    • User principal name
    • Endpoint IP address
    • Request URI
    • Device OS
    • Device browser
    • User ID
    • User display name
    • Location (country, state, city, postcode, geolocation)
    • Sign-in status
Console Location

Zero Trust Risk Insights App > Data source configuration > Okta > Data upload permission > Off

Okta

Okta

The data is needed to determine if Microsoft Office 365 account has potential risk.

Data Source: Office 365 > Data upload permission
Data Collected
  • OneDrive activity report
    • Report refresh date
    • User principal name
    • Deleted
    • Deleted date
    • Last activity date
    • Files viewed or edited (count)
    • Files synced (count)
    • Files shared internally (count)
    • Files shared externally (count)
    • Products assigned
    • Report period
  • OneDrive usage report

    • Report refresh date
    • Site URL
    • Owner username
    • Owner principal name
    • Deleted
    • Last activity date
    • Files (count)
    • Active files (count)
    • Storage used (Byte)
    • Storage allocated (Byte)
    • Report period
  • SharePoint activity report

    • Report refresh date
    • User principal name
    • Deleted
    • Deleted date
    • Last activity date
    • Files viewed or edited (count)
    • Files synced (count)
    • Files shared internally (count)
    • Files shared externally (count)
    • Pages visited (count)
    • Products assigned
    • Report period
  • SharePoint site usage report

    • Report refresh date
    • Site ID
    • Site URL
    • Site owner username
    • Site owner principal name
    • Deleted
    • Last activity date
    • Files (count)
    • Active files (count)
    • Page views (count)
    • Page visited (count)
    • Storage used (Byte)
    • Storage allocated (Byte)
    • Root web template
    • Report period
  • Outlook email app usage report

    • Report refresh date
    • User principal name
    • Display Name
    • Deleted
    • Deleted date
    • Last activity date
    • Outlook (Mac)
    • Outlook (Windows)
    • Outlook (Mobile)
    • Mobile
    • Outlook on the web
    • POP3 app
    • IMAP4 app
    • SMTP app
    • Report period
  • Mailbox usage report

    • Report refresh date
    • User principal name
    • Display name
    • Deleted
    • Deleted date
    • Created date
    • Last activity date
    • Item count
    • Storage used (Byte)
    • Issue warning quota (Byte)
    • Prohibit send quota (Byte)
    • Prohibit send/receive quota (Byte)
    • Deleted Item Count
    • Deleted Item Size (Byte)
    • Report period
  • Email activity report

    • Report refresh date
    • User principal name
    • Display name
    • Deleted
    • Deleted date
    • Last activity date
    • Send actions (count)
    • Receive actions (count)
    • Read actions (count)
    • Products assigned
    • Report period
  • Microsoft Teams user activity report

    • Report refresh date
    • User principal name
    • Last activity date
    • Deleted
    • Deleted date
    • Products assigned
    • Channel messages (count)
    • Chat messages (count)
    • 1:1 calls (count)
    • Total meetings (count)
    • Other activity
    • Report period
Console Location

Zero Trust Risk Insights App > Data source configuration > Office 365 > Data upload permission > Off

Office 365 - Data upload permission

Office 365 - Data upload permission

This data is needed to determine if Microsoft Office 365 account has been compromised or has risky activities.

Data Source: Office 365 > Threat detection upload permission
Data Collected
  • File name
  • File SHA1
  • File MD5
  • User principal name
  • SharePoint/OneDrive file path
  • URL
  • File upload time
  • File type
  • Email meta information
Console Location

Zero Trust Risk Insights App > Data source configuration > Office 365 > Threat detection upload permission > Off

Office 365 - Threat detection upload permission

This data is needed to determine if the use of cloud app is risky.

Data Source: Web Sensor
Data Collected

Cloud app access logs

  • User name
  • URL accessed
  • Department
  • Device name
  • User principal name
  • AD domain
  • Browsing time
Console Location

Zero Trust Risk Insights App > Data source configuration > Web sensor > Off

Web Sensor

Web Sensor

Sandbox Analysis App

Users can submit objects for analysis using the Trend Micro Vision One product console or public API.

Data Collected
  • Data transmitted relates to user submitted object.

    • File Name
    • File Content
    • Archive file password
    • File password
  • Virtual Analyzer Report and Suspicious Objects from analysis result of integrated products, like Apex One, Cloud App Security, Deep Discovery Inspector and Service Gateway.

The data collection cannot be disabled when the products are connected to Trend Micro Vision One.

Console Location

THREAT INTELLIGENCE > Sandbox Analysis > Submit Object

Submit Object

Service Gateway

Service Gateway Inventory
DescriptionWhen Service Gateway appliance is registered to Vision One / Service Gateway Inventory, it will provide the appliance related information back to Vision One.
Customers can disconnect/delete this appliance to disable it via Vision One Service Gateway Inventory.
Data Collected
  • Hostname
  • IP address
  • Service URL
  • DISK usage
  • CPU usage
  • Memory usage
  • Network throughput
  • IP address/Hostname of connected devices
Console LocationInventory Management > Service Gateway Inventory > Disconnect
Console Settings
  • Disconnect

Service Gateway Inventory

Smart Protection Services
DescriptionThe SPS service running at Service Gateway appliance will carry URL, File path or IP address information back to SPN service when point products do SPN query to Service Gateway appliance.
Customers can disable this service via Vision One Service Gateway Inventory to disable this behavior.
Data Collected
  • URL
  • File path
  • IP address
Console LocationInventory Management > Service Gateway Inventory > Configure
Console Settings

Smart Protection Services

Active Update and Program update
DescriptionThe Active Update service running at Service Gateway appliance will carry IP address information of appliance back to Vision One, same for Auto Update feature.
Customers can disable this service and disable the Automatic Update feature via Vision One Service Gateway Inventory to disable this behavior.
Data Collected
  • IP address
Console LocationInventory Management > Service Gateway Inventory > Configure
Console Settings

Module state

Third Party Integration, Suspicious Object List Synchronization
DescriptionThe Third Party Integration & Suspicious Object List Synchronization service running at Service Gateway appliance will carry IP address, Suspicious Objects and Virtual Analyzer Report back to SPN service when point products do Suspicious Object Sync with Service Gateway appliance.
Customer can disable both services via Vision One Service Gateway Inventory to disable this behavior.
Data Collected
  • IP address
  • Suspicious Objects
  • Virtual Analyzer Report
Console LocationInventory Management > Service Gateway Inventory > Configure
Console Settings

Module state

Trend Micro Vision One Data Center Locations

Country of PurchaseData Center Location for Azure
*Future Site for new Customers
Data Center Location for AWS
*Future Site for new Customers
USAEast US – N. VirginiaEast US – N. Virginia
EUWest Europe-NetherlandsFrankfurt, Germany
JapanTokyo, JapanTokyo, Japan
SGSingaporeSingapore
ANZEast US – N. Virginia
*Canberra, Australia
East US – N. Virginia
*Sydney, Australia
EU - UKWest Europe-NetherlandsFrankfurt, Germany
CanadaEast US – N. VirginiaEast US – N. Virginia
IndiaMumbaiMumbai

Zero Trust Secure Access

Zero Trust Secure Access includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

Permission control
DescriptionPermission control allows the admin to control network access to corporate applications by authorized users/devices. To prevent Trend Micro Vision One from collecting data, stop using Zero Trust Network Access.
Data Collected
  • IP address
  • OS type
  • User Principle Name
  • HTTP URL
Console Location

Zero Trust Secure Access > Secure Access Rules > Permission Control

Permission Control

Click the image to enlarge.

Access Control History
DescriptionAccess Control History allows the admin to view user activity logs generated by permission control. To prevent Trend Micro Vision One from collecting data, stop using Zero Trust Security Access.
Data Collected
  • IP address
  • OS type
  • OS version
  • User Principle Name
  • HTTP URL
  • Hostname
  • User agent
Console Location

Zero Trust Secure Access > Access Control History > Action count

Access Control History

Click the image to enlarge.

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000262137
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.