Views:

AI Application Security
- AI Scanner
- AI Guard
Endpoint Sensor
Standard Endpoint Protection
Server & Workload Protection
Email and Collaboration Security
Container Security
Zero Trust Secure Access
Code Security
Mobile Security
XDR Portal
Security Assessment Service
Cyber Risk Exposure Management
Sandbox Analysis App
Common Directory
Network
- Network Inventory
- Virtual Network Sensor
Service Gateway Management
SecOps for Cloud
- Cloud Detections for AWS CloudTrail
Data Security
IR Platform

To see where this data is processed, refer to our list of data centers and authorized data subprocessors and their locations.

TrendAI Vision One™ Data Center Locations

General TrendAI Vision One™ Service

Data Collected	Email Phone number Contact names IP Address
Console Location	Data provided to Trend Micro during on-boarding process and during normal service delivery.
Console Settings	Account Management - Name and email required if additional accounts are created.

Configurable Additional Data Collection Using the TrendAI Vision One™ Console

Description fields
Data Collected	Customer provided text
Console Location	Various locations throughout the TrendAI Vision One™ product console Optional: Free-Form Text field for customer user to provide additional information at their discretion. Please do not enter any personal or sensitive information.

Share your Feedback
Data Collected	Customer provided text Optional- Customers may submit feature requests and ideas to the TrendAI Vision One™ Product team. Please do not input any personal or sensitive information into the feedback form.
Console Location	[SecOps Resource Center menu icon] > Share Your Feedback > Make a Suggestion
Console Settings	Make a Suggestion

Search App
Data Collected	Saved queries of search history, including: Names (user, domain, file, object) UserID Email addresses IP addresses Browsing history Command history Optional: User can save the search parameters for future queries.
Console Location

Response App
Description	Response app collect Endpoint information when customer take response actions. It stores these data to record the task history. It collects file when customer take collect file action. It stores these data for customer downloading and threat investigate app like sandbox. It can take the following actions on account name: Enable User Account Disable User Account Force Reset Password Force Sign Out The task histories contain the account name.
Data Collected	Endpoint IP Endpoint Hostname File Path Email Address Email Subjsect File Account Name
Console Location

Security Playbooks
Description	Security Playbooks collects data when customers configure security playbooks and when security playbooks execute.
Data Collected	IP address Hostname Fully Qualified Domain Name OS name OS type Email address File File name File path URL Device GUID Device name User Principal Name Account name Account type Account role CVE ID
Console Location	Workflow And Automation > Security Playbooks > Templates Workflow And Automation > Security Playbooks > Templates > Create playbook from template Workflow And Automation > Security Playbooks > Playbooks Workflow And Automation > Security Playbooks > Execution Results

TrendAI Vision One™ Terms of Service (Endpoint Basecamp)
Data Collected	Endpoint name IP address Mac address After customers agree to the Terms of Service, Privacy Notice and Data Collection Notice, the data collection can’t be disabled
Console Location	To enable: Trend Micro SecOps Terms of Service > I agree to the Terms of Service, Privacy Notice, and Data Collection Notice > Get Started To disable: Open Task Scheduler on each endpoint and disable the "Trend Micro Endpoint Basecamp" scheduled task. Run Windows Task Scheduler > Click Task Scheduler Library > right-click Trend Micro Endpoint Basecamp > Disable

Email Inventory
Data Collected	Account name User display name Group name User membership Mailbox account Email address The data collection can't be disabled when customers use Email Inventory.
Console Location	To enable: Email Inventory > configure the following: Use the Exchange Web Service Managed API for quarantine management Use the Graph API to access all mailboxes Access the user profiles and mailboxes To disable: Click the Help icon > Contact Support, and open a support ticket.

Endpoint Inventory - Enable TrendAI Vision One™ capabilities
Data Collected	Command line File name File owner File signer Host name IP address Process owner Registry data User name URL Windows event log
Console Location	To enable: Endpoint Inventory > Available endpoints tab > [select endpoint] > Enable To Disable: Endpoint Inventory > Reporting to SecOps tab > [select endpoint] > Disable

The user ID and user account are used for user behavior tracking and auditing. The company ID identifies which company this customer belongs to.

Endpoint Security Policies
Data Collected	User ID User Account Company ID
Console Location	Security Policies > Endpoint
Console Settings	Endpoint

SecOps Portal

SecOps Portal automatically collects and transmits the following data, some of which may be considered personal data in certain jurisdictions, after installing/enabling the product. It is necessary to collect this data to provide the security functions on this product. Therefore, you cannot disable these features. If you do not want Trend Micro to access this data, you should uninstall and stop using the product.

To see where this data is processed, refer to our list of data centers and authorized data subprocessors and their locations.

SecOps Portal Log On (First Time)
Description	SecOps Portal use these information for customer log on and data display on portal.
Data Transmitted to Trend Micro	Contact Name Account ID Email Address CLP company ID Company Name Country/Region Display name Credit Create Time Credit Expiration Time Credit Stock Id Credit Stock Type Entitlement Start Time Entitlement End Time Entitlement ID Entitlement Source
Feature Configuration Location

SecOps Portal Alert Notification
Description	SecOps Portal UI use this information to let customer can receive alert notification by email
Data Transmitted to Trend Micro	Email address Webhook URL
Feature Configuration Location

SecOps Portal Product Connector
Description	SecOps Portal use this information to detect product connection status and display on portal
Data Transmitted to Trend Micro	Device ID
Feature Configuration Location

SecOps Portal UI Pendo
Description	SecOps Portal UI analysis customer behavior for product usage and product enhancements
Data Transmitted to Trend Micro	IP address, User Behavior User Agent Browser Name Browser Version Account ID CLP CompanyID
Feature Configuration Location

SecOps Portal UI Pendo Feedback
Description	When customers submit feedback through the Pendo Feedback tool, their email address is sent to product managers so the product managers can respond to and acknowledge the customer's submission. When feedback is actioned, the product manager will update the customer using the email associated with the feature / enhancement request in the Pendo feedback tool.
Data Transmitted to Trend Micro	Email Address

Security Assessment Service

Security Assessment Service includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

TrendAI Vision One™ Security Assessment Service
Data Collected & Console Location	TrendAI Vision One™ Security Assessment Service includes some modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information, instructions to opt-out of the personal data collection, as well as modules that cannot be disabled are provided in this article: TrendAI Vision One™ Security Assessment Service Data Collection Notice.

Cyber Risk Exposure Management

Cyber Risk Exposure Management includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

TrendAI Vision One™ SecOps Sensors

Endpoint Sensor
Description	Data from Endpoint Sensors installed and enabled throughout your network give you visibility into endpoint user activities, public cloud app access, and endpoint vulnerabilities.
Data Collected	Endpoint name Logon username User principal name Logon user domain IP addresses MAC address Suspicious file path Suspicious file name Suspicious file hash URL OS name OS version OS build number OS patch level OS SKU Agent ID Installed software name Installed software version Software installation path Software patch information
Console Location	Cyber Risk Overview App > Data source configuration > Endpoint Sensor > Endpoint Inventory

Email Sensor
Description	Data from Email Sensor gives you insight into email activities in monitored Microsoft 365 Exchange Online and Gmail mailboxes.
Data Collected	Event time User principal name Domain name SAM account name URL Email attachment information Email meta information
Console Location	Cyber Risk Overview App > Data source configuration > TrendAI Vision One™ Email Sensor > Email Inventory

Network Sensor
Description	Data from Virtual Network Sensors / TippingPoint Network Sensors deployed in your network environment gives you visibility into detailed network activity as well as unmanaged or unknown assets connected to your network.
Data Collected	Device GUID Host name Source IP Source port Destination IP Destination port Endpoint IP Peer IP File path File name Username Sender email address
Console Location	Cyber Risk Overview App > Data source configuration > Network Sensor > Network Inventory

TrendAI Security Services

Security Agents
Description	Data from security agents installed throughout your network give you visibility into endpoint user activities, web activities, public cloud app access, security settings, and threat detections.
Data Collected	Endpoint name Logon username User principal name Logon user domain IP addresses MAC address Suspicious file path Suspicious file name Suspicious file hash URL OS name OS version OS build number OS patch level OS SKU Agent ID Installed software name Installed software version Software installation path Software patch information Product configuration
Console Location	Cyber Risk Overview App > Data source configuration > Standard Endpoint Protection > Product Instance Cyber Risk Overview App > Data source configuration > Server & Workload Protection > Product Instance Cyber Risk Overview App > Data source configuration > Apex One as a Service > Product Instance Cyber Risk Overview App > Data source configuration > Apex One > Product Instance Cyber Risk Overview App > Data source configuration > Endpoint & Workload Security > Product Instance Cyber Risk Overview App > Data source configuration > Deep Security > Product Instance

Cloud Email and Collaboration Protection
Description	Data from Cloud Email and Collaboration Protection provides information on detected threats and security settings on monitored Google Gmail and Office 365 apps.
Data Collected	Please refer to: TrendAI Vision One™™ - Email and Collaboration Security Data Collection Notice
Console Location	Cyber Risk Overview App > Data source configuration > Cloud Email and Collaboration Protection > Product Instance

Cloud Email Gateway Protection
Description	Data from Cloud Email Gateway Protection gives you information on email activities, email security settings, and detected threats on monitored email gateways.
Data Collected	Please refer to: TrendAI Vision One™™ - Email and Collaboration Security Data Collection Notice
Console Location	Cyber Risk Overview App > Data source configuration > Cloud Email Gateway Protection > Product Instance

Cloud One - Conformity
Description	Data from Cloud One - Conformity gives you instant visibility into compliance and security best practice violations on your public cloud infrastructure.
Data Collected	Provider Region Resource name Resource type Service name Service category Create date Last modified date Configuration message
Console Location	Cyber Risk Overview App > Data source configuration > Cloud One - Conformity > Data upload permission > Off

Deep Discovery Inspector
Description	Data from Deep Discovery Inspector and Network Sensor on Deep Discovery Inspector gives you visibility into targeted attacks, advanced threats, unmanaged devices on your network, and network configuration information as well as detailed network activity.
Data Collected	Device GUID Host name Source IP Source port Destination IP Destination port Endpoint IP Peer IP File path File name Username Sender email address
Console Location	Cyber Risk Overview App > Data source configuration > Deep Discovery Inspector > Network Inventory

Web Security
Description	Data from Web Security Web Sensors installed in your environment gives you visibility into web activities, threat detections, and web applications and websites accessed by managed users and devices inside and outside of your corporate network.
Data Collected	Username Department Device name User principal name AD domain URL accessed Browsing time
Console Location	Cyber Risk Overview App > Data source configuration > Web Security > Product Instance

Mobile Security
Description	Data from Mobile Security gives you insight into user activities, threat detections, risky mobile app use, and public cloud apps being accessed by managed devices.
Data Collected	Logon user User principal name IP address App name App package name Device hostname OS name URL
Console Location	Cyber Risk Overview App > Data source configuration > Mobile Security > Mobile Inventory

Container Security
Description	Data from Container Security gives you visibility into vulnerabilities, detected threats, and system configuration risks in your containers and images.
Data Collected	Kubernetes Service Information Cluster name Cluster description Cluster application version Service UID Resource name Namespace Create time Network type IP addresses Ports Kubernetes Pod Information Pod name Pod UID Namespace Create time Owners Dispatched IP Pod volumes Node name Labels Annotations ECS Service Information Cluster ARN Service ARN Service name Create time Network configuration Task definition ECS Task Information Service UID Cluster ARN Task group Task ARN Task description Task create time Task launch type Task tags Task container instance ARN Task definition Node Information Node name Node UID Node create time IP addresses OS Image Kernel version Container runtime version Kubernetes version Container Information Pod ID Container ID Container name Task ID Task GUID Task ARN Image ID Start command Environment variables Exposed ports Security context Mounted volumes Start time
Console Location	Cyber Risk Overview App > Data source configuration > Container Security > Container Inventory

Security Awareness
Description	Data from Phishing Simulations in Security Awareness gives you insight into breach events on risky user accounts reported in phishing simulations.
Data Collected	Campaign information Course information Training members Email Addresses
Console Location	Cyber Risk Overview App > Data source configuration > Security Awareness > Enable Phishing Simulations

Network Vulnerability Scanner
Description	Using a deployed Network Sensor or a Service Gateway with the Network Vulnerability Scanner service installed, Network Vulnerability Scanner discovers network infrastructure devices and scans for vulnerabilities in the discovered devices, accessible services, and specified assets.
Data Collected	Network device information IP addresses Ports Protocols Services TLS information
Console Location	Cyber Risk Overview App > Data source configuration > Network Vulnerability Scanner > Configure scans in Network Vulnerability Scanner

TippingPoint Security Management System
Description	Data from TippingPoint Security Management System (SMS) gives you visibility into network activity, network-related detections, and filter rule status.
Data Collected	Device GUID Host name Source IP Source port Destination IP Destination port CVE ID URL
Console Location	Cyber Risk Overview App > Data source configuration > TippingPoint Security Management System > Network Inventory

Zero Trust Secure Access - Private Access
Description	Data from Zero Trust Secure Access - Private Access allows for actionable analysis of user and device risk to detect threats and limit internal applications access to authorized personnel.
Data Collected	Event time Logon user User principal name User display name Event information OS name Endpoint GUID Host name External IP Endpoint IP
Console Location	Cyber Risk Overview App > Data source configuration > Zero Trust Secure Access - Private Access > Zero Trust Secure Access

Zero Trust Secure Access - Internet Access
Description	Data from Zero Trust Secure Access - Internet Access and AI Service Access allows for actionable analysis of user access to web applications outside your corporate network to detect potential threats.
Data Collected	Event time Identity ID Username User principal name Payload size Body size Access duration AD domain Department Request URL URL category Device name Action Malware type Malware name Profile name App ID App name App category Location
Console Location	Cyber Risk Overview App > Data source configuration > Zero Trust Secure Access - Internet Access > Zero Trust Secure Access

THIRD-PARTY DATA SOURCES

Microsoft Entra ID
Description	Data from Microsoft Entra ID data gives you visibility into user and device profiles, user and device behaviors, user public cloud app access, and potential account compromise events or misconfigurations.
Data Collected	User information User ID User display name User principal name IP address Groups Location (city, state , country) Email address Job title Department Given name Surname Email nickname IM addresses Last password change datetime Applications being used App ID App display name Client app used Sign-in logs Sign-in initiated time Device detail (Browser and OS) Location Status Conditional access status Correlation ID Risk state Risk detail Risk level aggregated Risk level during sign-in Risk event types Resource display name Resource ID
Console Location	Cyber Risk Overview App > Data source configuration > Microsoft Entra ID > Manage permissions and integration settings in Third-Party Integration

Active Directory (on-premises)
Description	Data from Active Directory (on-premises) gives you visibility into your internal user accounts and devices.
Data Collected	User information Canonical name Username SAM account name User principal name User display name Description Distinguished name Given name Surname Email address Company name Department Job title SID Account enabled Domain Direct parent group All parent groups Usage location Last password change time Group information Canonical name Description Distinguished name Member SAM account name Display name Email address Direct parent group All parent groups Direct members All members Computer information Canonical name Distinguished name Country code Display name Description SAM account name DNS host name Bad password time Bad password count Last logon Last logoff Logon count OS Service principal name Direct parent group All parent groups Event log Timestamp Agent ID System event ID System time created System security System computer IP address IP port Logon type Member SID New UAC value Old UAC value Password last set Primary group ID Privilege list Process ID Process name Service name Service SID Status Sub-status Subject domain name Subject logon ID Subject username Subject user SID Target domain name Target linked logon ID Target logon ID Target SID Target username Target user SID Virtual account Workstation Workstation name
Console Location	Cyber Risk Overview App > Data source configuration > Active Directory (on-premises) > Configure Active Directory in Third Party Integration

Nessus Pro Tenable Security Center
Description	Data from Nessus Pro or Tenable Security Center (formerly Tenable.sc) gives you insight into on-premises device information and CVE detections in operating systems and applications.
Data Collected	Host FQDN NetBIOS name BIOS UUID Workgroup Host name Device OS Logon user IP address MAC address CVE ID
Console Location	Cyber Risk Overview App > Data source configuration > Nessus Pro > Configure Nessus Pro in Third Party Integration Cyber Risk Overview App > Data source configuration > Tenable Security Center > Configure integration settings in Third-Party Integration

Microsoft 365
Description	Data from Microsoft 365 gives you access to app metadata, system configuration information, usage data, and activity data. Collected data contributes to system misconfiguration and compliance checks, Microsoft 365 app usage reports, and reports on behavior that contributes to user risk analyses. Accessed apps include: OneDrive SharePoint Outlook Teams
Data Collected	Microsoft 365 configuration for OneDrive SharePoint Outlook Teams OneDrive activity report Report refresh date User principal name Deleted Deleted date Last activity date Files viewed or edited (count) Files synced (count) Files shared internally (count) Files shared externally (count) Products assigned Report period OneDrive usage report Report refresh date Site URL Owner username Owner principal name Deleted Last activity date Files (count) Active files (count) Storage used (Byte) Storage allocated (Byte) Report period SharePoint activity report Report refresh date User principal name Deleted Deleted date Last activity date Files viewed or edited (count) Files synced (count) Files shared internally (count) Files shared externally (count) Pages visited (count) Products assigned Report period SharePoint site usage report Report refresh date Site ID Site URL Site owner username Site owner principal name Deleted Last activity date Files (count) Active files (count) Page views (count) Page visited (count) Storage used (Byte) Storage allocated (Byte) Root web template Report period Outlook email app usage report Report refresh date User principal name Display Name Deleted Deleted date Last activity date Outlook (Mac) Outlook (Windows) Outlook (Mobile) Mobile Outlook on the web POP3 app IMAP4 app SMTP app Report period Mailbox usage report Report refresh date User principal name Display name Deleted Deleted date Created date Last activity date Item count Storage used (Byte) Issue warning quota (Byte) Prohibit send quota (Byte) Prohibit send/receive quota (Byte) Deleted Item Count Deleted Item Size (Byte) Report period Email activity report Report refresh date User principal name Display name Deleted Deleted date Last activity date Send actions (count) Receive actions (count) Read actions (count) Products assigned Report period Microsoft Teams user activity report Report refresh date User principal name Last activity date Deleted Deleted date Products assigned Channel messages (count) Chat messages (count) 1:1 calls (count) Total meetings (count) Other activity Report period
Console Location	Cyber Risk Overview App > Data source configuration > Microsoft 365 > Manage Entra ID permissions and integration settings in Third-Party Integration

OKTA
Description	Data from Okta gives you visibility into user profiles and behavior, and user public cloud app and device usage.
Data Collected	User information User ID User display name User principal name Location (country, state, city) Job title Email address User type Company name Department Given name Surname Nickname Group Second email address Account create datetime Last password change datetime Sign-in logs Sign-in event time User principal name Endpoint IP address Request URI Device OS Device browser User ID User display name Location (country, state, city, postcode, geolocation) Sign-in status
Console Location	Cyber Risk Overview App > Data source configuration > Okta > Configure Okta integration settings in Third-Party Integration

Open LDAP
Description	Active Directory data from your OpenLDAP server gives you visibility into your internal user accounts.
Data Collected	User information UUID CSN DN CN Display name Domain name Surname Given name Mail GECOS GID number UID UID number Home directory Login shell Direct parent group All parent group Group information UUID CSN DN CN Domain name Direct members All members
Console Location	Cyber Risk Overview App > Data source configuration > OpenLDAP > Configure OpenLDAP integration settings in Third-Party Integration

Qualys
Description	Data from Qualys gives you visibility into additional CVE detections on managed devices along with detailed asset profile information.
Data Collected	Hostname Host ID Device OS Logon users Last logon user IP address MAC address Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Qualys > Data upload permission > Off

Rapid 7 - InsightVM / Nexpose
Description	Data from Rapid7 gives you visibility into additional CVE detections on managed devices, along with detailed asset profile information.
Data Collected	ID IP address MAC address Hostname OS Services Software installed Users User groups Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Rapid7 - InsightVM > Data upload permission > Off Cyber Risk Overview App > Data source configuration > Rapid7 - Nexpose > Configure integration settings in Third-Party Integration

Splunk - Network Firewall / Web Gateway Logs
Description	The Cyber Risk Exposure Management for Splunk app provides website access log data to TrendAI Vision One™, giving you insight into user public cloud application access based on firewall and web gateway activity.
Data Collected	Event time Source IP address Hostname: from where the event is initiated Website: the URL Count: aggregated times of the access Username: user who initiates the event
Console Location	Cyber Risk Overview App > Data source configuration > Splunk - Network Firewall / Web Gateway Logs > Configuration Guide

Tenable Vulnerability Management
Description	Data from Tenable Vulnerability Management gives you visibility into additional CVE detections on managed devices, along with detailed asset profile information.
Data Collected	ID Agent UUID Agent names Software installed IP address MAC address OS Hostname Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Tenable Vulnerability Management > Data upload permission > Off

Tanium Comply
Description	Data from Tanium Comply gives you visibility into additional CVE detections on managed devices along with detailed asset profile information.
Data Collected	Endpoint name Domain name IP address MAC address OS Last logon user Software installed Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Tanium Comply > Data upload permission > Off

Internet Facing Assets Rescana
Description	Data gives you visibility into your organization’s internet-facing assets, including application vulnerabilities and system misconfigurations, allowing you to manage your external attack surface.
Data Collected	Domain Hostname IP Tags: categories of asset Running services OS ISP Cloud provider Geolocation SSL CPE: version of applications on assets Vulnerability list
Cyber Risk Overview	Attack Surface Discovery App > Internet Facing Assets > Domain / Public IP > Remove Cyber Risk Overview App > Data source configuration > Rescana > Data Upload > Off

Claroty xDome
Description	Data from Claroty xDome gives you visibility into additional CVE detections on managed devices along with detailed asset profile information.
Data Collected	Device ID Risk score OS category Labels Device type family Vulnerability list MAC address list Device subcategory Assignees Network list Model Device type Device category IP address list
Console Location	Cyber Risk Overview App > Data source configuration > Claroty xDome > Data upload permission > Off

Salesforce
Description	Data from Salesforce gives you access to metadata and information on system misconfigurations for use in compliance and risk assessments.
Data Collected	Tenant ID Tenant name Tenant description URL Contact information Location Security settings
Console Location	Cyber Risk Overview App > Data source configuration > Salesforce > Configure integration settings in Third-Party Integration

Github
Description	By installing and enabling TrendAI Vision One™ SSPM, you grant Trend Micro permission to access your GitHub organization metadata and information on system misconfigurations for use in compliance and risk assessments.
Data Collected	Organization ID Organization name Organization login Organization URL Organization type Security settings Member information Repository information
Console Location	Cyber Risk Overview App > Data source configuration > GitHub > Configure GitHub integration settings in Third-Party Integration

Greenbone
Description	Data from Greenbone gives you insight into on-premises device information and CVE detections in operating systems and applications.
Data Collected	Operating systems containing CVEs Applications containing CVEs
Console Location	Cyber Risk Overview App > Data source configuration > Greenbone > Configure integration settings in Third-Party Integration

Google Cloud Identity
Description	Data from Google Cloud Identity gives you visibility into user profiles, user and group behaviors, and account misconfigurations.
Data Collected	Please refer to https://success.trendmicro.com/en-us/solution/ka-0015569
Console Location	Cyber Risk Overview App > Data source configuration > Google Cloud Identity > Configuration guide

CyberArk
Description	Data from CyberArk gives you visibility into user details, user behaviors, and potential user account misconfiguration.
Data Collected	User information Display Name Email Last Invite Last Login Status Organization User ID User type Login Name Applications being used App ID Device Application Name Version Managed App Status Mobile App Type Identifier Risk event User ID Username Event ID Event type Risk score Risk level Risk reason
Console Location	Cyber Risk Overview App > Data source configuration > CyberArk > Configure CyberArk and grant the required permissions in Third-Party Integration

Nazomi Vantage
Description	Data from Nozomi Vantage gives you visibility into OT and IoT network asset information, CVE detections, and alerts that contribute to risk analysis.
Data Collected	Assets ID Name IP MAC address Vendor Type OS Alerts ID Name Description Severity MAC address IP Risk Protocol Port Vulnerabilities ID Asset ID Score CVE Software list
Console Location	Cyber Risk Overview App > Data source configuration > Nozomi Vantage > Configure integration settings in Third-Party Integration

SentinelOne Singularity
Description	Data from SentinelOne Singularity gives you visibility into data from your SentinelOne Singularity-managed endpoints, including device context, misconfigurations, and CVE detections.
Data Collected	Devices ID Name Internal IP OS Family MAC address Risk Events ID Name Description Severity Status Classification Confidence level Attack techniques Asset information Process information Assignee Analytics Vulnerabilities CVE information Software information Asset information Workflow & Assignment
Console Location	Cyber Risk Overview App > Data source configuration > SentinelOne Singularity > Configure integration settings in Third-Party Integration

ServiceNow CMDB
Description	Data from ServiceNow Configuration Management Database (CMDB) gives you increased visibility into the relationships between and attributes of devices within your organization's infrastructure.
Data Collected	Computer Server Application Database Instance Storage Server Storage Device IP Address IP Firewall CI Relationship
Console Location	Cyber Risk Overview App > Data source configuration > ServiceNow CMDB > Configure integration settings in Third-Party Integration

Sandbox Analysis App

Users can disable data collection by disabling submissions.

Data Collected	Data transmitted relates to user submitted object. File Name File Content Archive file password File password Command line arguments URL
Console Location	THREAT INTELLIGENCE > Sandbox Analysis > Submission Settings To enable: Set the daily reserve value to anything between 1 and 10,000. To disable: Set the daily reserve value to 0. ^{Click the image to enlarge.}

Network

Network includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

TrendAI Vision One™ Virtual Network Sensor
Data Collected & Console Location	TrendAI Vision One™ Virtual Network Sensor includes some modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information, instructions to opt-out of the personal data collection, as well as modules that cannot be disabled are provided in this article: TrendAI Vision One™ Virtual Network Sensor Data Collection Notice.

Service Gateway

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, it will provide the appliance related information back to TrendAI Vision One™. Customers can disconnect/delete this appliance to disable it via TrendAI Vision One™ Service Gateway Management.
Data Collected	Hostname IP address MAC address DNS Customer proxy NTP Server DISK usage CPU usage Memory usage Network throughput Product name of connected devices Connections summary
Console Location	Workflow and Automation > Service Gateway Management
Console Settings

Service Configuration

Service Configuration In Service Gateway
Description	Service Gateway Management opens the service configuration API to service owner, and the detailed configurations are different from service to service.
Data Collected	Specified by the service owner which registers and stores the configuration in Service Gateway.
Console Location	Workflow and Automation > Service Gateway Management > Appliance > Manage Services
Console Settings

Local Active Update Service

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, and enables Active Update service, SG will provide connected product status.
Data Collected	AU URL Specified by the customer the Trend Micro product AU URL and service gateway local AU URL.
Console Location	Workflow and Automation > Service Gateway Management > Appliance, in the Installed Services table, choose ActiveUpdate Service, and then click the "Settings" button

Forward Proxy Service

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, and enables forward proxy service, SG will provide connected product status
Data Collected	Product Status The Trend Micro product name connected to SG and connect time
Console Location	Workflow and Automation > Service Gateway Management > Connected Products/Servers

Smart Protection Service

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, and enables Smart Protection Service, SG will provide connected product status.
Data Collected	Product Status The Trend Micro product name is connected to SG and connect time
Console Location	Workflow and Automation > Service Gateway Management > Connected Products/Servers

SecOps for Cloud

SecOps for Cloud - Cloud Detections for AWS CloudTrail automatically collects and transmits the following data, some of which may be considered personal data in certain jurisdictions, after installing/enabling the product. It is necessary to collect this data to provide the security functions on this product. Therefore, you cannot disable these features. If you do not want Trend Micro to access this data, you should uninstall and stop using the product.

Cloud Detections for AWS CloudTrail
Description	This information is used to analyze threats to customers' AWS account activity.
Data Collected	AWS account ID AWS CloudTrail configuration AWS CloudTrail events
Console Location	This feature cannot be disabled.

Data Security

Data Posture

Data Posture allows customer to bind their cloud accounts to TrendAI Vision One™, which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by unbinding cloud accounts.

Data Collected	AWS Account ID AWS Macie Configuration AWS Macie Custom Data Identifier AWS S3 Bucket Name AWS S3 Bucket Meta Data
Console Location	Login to TrendAI Vision One™ Portal > Service Management > Cloud Accounts ^{Click the image to enlarge.}

Data Policy

Define the data policy for network location where the sensitive files are, and Data Detection and Response sensor will base on the policy to track all sensitive files on the endpoint.

Data Collected	Network URI
Console Location	TrendAI Vision One™ > Data Security > Data Policy
Console Settings	Turn on or off by switching the toggle.

Data Inventory

Display what sensitive files resided in the endpoint and offer the ability of filter what user interested by asset type, matched policy, file extensions etc.

Data Collected	Endpoint GUID Host name Username IP address URL File name & full path Windows event log
Console Location	TrendAI Vision One™ > Data Security > Data Inventory > All files TrendAI Vision One™ > Data Security > Data Inventory > Local devices
Console Settings	In TrendAI Vision One™ > Endpoint Security > Endpoint Security Policy: Modify the existing policy or add policy. In sensor setting, turn on the Endpoint sensor detection and response. Data Detection and Response sensor will be shown as follow.

IR Platform

IR Platform includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

IR Toolkit
Description	Forensics App will deploy the IR Toolkit which has Command Line Interface for data collection, encryption and upload to cloud through Internet.
Data Transmitted to Trend Micro	Master File Table (File metadata) Basic Info (OS info, Hardware Information) Host Process Information Network Active Connection Network Information AutoStartUp Information Background Service Task scheduler information Application/service Log System Log (Amcache, Shimcache) Account Information User Activity (Shellbag, Browser History) Event Log Microsoft Windows Registry
Feature Configuration Location	TrendAI Vision One™ Menu > XDR > Forensics

TrendAI Vision One™ Data Center Locations

Region/Country of Purchase	Data Center Location for Microsoft Azure ^{Future Site for new Customers}*	Data Center Location for AWS ^{Future Site for new Customers}*
USA	East US - N. Virginia	East US - N. Virginia
Canada	Canada Central	Canada Central
EU	West Europe - Netherlands	Frankfurt, Germany
Japan	Tokyo, Japan	Tokyo, Japan
SG	Singapore	Singapore
ANZ	Australia Central *Canberra, Australia	Sydney, Australia
India	Mumbai	Mumbai
Middle East and Africa	UAE	UAE
UK	UK South	London

Keywords: TrendAI Vision One data collection notice, Vision One data privacy, XDR data collected, Trend Micro data collection, Vision One GDPR compliance, SecOps Portal data transmission, Cyber Risk Exposure Management data, Endpoint Sensor data collected, Service Gateway data collection, Sandbox Analysis data, Data Security data collection, IR Platform data transmission, Zero Trust Secure Access data, Trend Micro personal data, Vision One data center locations, Trend Vision One privacy notice, XDR personal data collection, Trend Micro subprocessors, Vision One data opt-out, data collection disable Vision One

TrendAI Vision One™ Data Collection Notice

Product / Version includes:

TrendAI Vision One™ All

Last updated: 2026/04/29

Solution ID: KA-0010805

Category: Configure

Summary

The following sections outline the features that collect data, the data transmitted, and the locations on the related product consoles where you can turn off the features.

AI Application Security
- AI Scanner
- AI Guard
Endpoint Sensor
Standard Endpoint Protection
Server & Workload Protection
Email and Collaboration Security
Container Security
Zero Trust Secure Access
Code Security
Mobile Security
XDR Portal
Security Assessment Service
Cyber Risk Exposure Management
Sandbox Analysis App
Common Directory
Network
- Network Inventory
- Virtual Network Sensor
Service Gateway Management
SecOps for Cloud
- Cloud Detections for AWS CloudTrail
Data Security
IR Platform

To see where this data is processed, refer to our list of data centers and authorized data subprocessors and their locations.

TrendAI Vision One™ Data Center Locations

General TrendAI Vision One™ Service

Data Collected	Email Phone number Contact names IP Address
Console Location	Data provided to Trend Micro during on-boarding process and during normal service delivery.
Console Settings	Account Management - Name and email required if additional accounts are created.

Configurable Additional Data Collection Using the TrendAI Vision One™ Console

Description fields
Data Collected	Customer provided text
Console Location	Various locations throughout the TrendAI Vision One™ product console Optional: Free-Form Text field for customer user to provide additional information at their discretion. Please do not enter any personal or sensitive information.

Share your Feedback
Data Collected	Customer provided text Optional- Customers may submit feature requests and ideas to the TrendAI Vision One™ Product team. Please do not input any personal or sensitive information into the feedback form.
Console Location	[SecOps Resource Center menu icon] > Share Your Feedback > Make a Suggestion
Console Settings	Make a Suggestion

Search App
Data Collected	Saved queries of search history, including: Names (user, domain, file, object) UserID Email addresses IP addresses Browsing history Command history Optional: User can save the search parameters for future queries.
Console Location

Response App
Description	Response app collect Endpoint information when customer take response actions. It stores these data to record the task history. It collects file when customer take collect file action. It stores these data for customer downloading and threat investigate app like sandbox. It can take the following actions on account name: Enable User Account Disable User Account Force Reset Password Force Sign Out The task histories contain the account name.
Data Collected	Endpoint IP Endpoint Hostname File Path Email Address Email Subjsect File Account Name
Console Location

Security Playbooks
Description	Security Playbooks collects data when customers configure security playbooks and when security playbooks execute.
Data Collected	IP address Hostname Fully Qualified Domain Name OS name OS type Email address File File name File path URL Device GUID Device name User Principal Name Account name Account type Account role CVE ID
Console Location	Workflow And Automation > Security Playbooks > Templates Workflow And Automation > Security Playbooks > Templates > Create playbook from template Workflow And Automation > Security Playbooks > Playbooks Workflow And Automation > Security Playbooks > Execution Results

TrendAI Vision One™ Terms of Service (Endpoint Basecamp)
Data Collected	Endpoint name IP address Mac address After customers agree to the Terms of Service, Privacy Notice and Data Collection Notice, the data collection can’t be disabled
Console Location	To enable: Trend Micro SecOps Terms of Service > I agree to the Terms of Service, Privacy Notice, and Data Collection Notice > Get Started To disable: Open Task Scheduler on each endpoint and disable the "Trend Micro Endpoint Basecamp" scheduled task. Run Windows Task Scheduler > Click Task Scheduler Library > right-click Trend Micro Endpoint Basecamp > Disable

Email Inventory
Data Collected	Account name User display name Group name User membership Mailbox account Email address The data collection can't be disabled when customers use Email Inventory.
Console Location	To enable: Email Inventory > configure the following: Use the Exchange Web Service Managed API for quarantine management Use the Graph API to access all mailboxes Access the user profiles and mailboxes To disable: Click the Help icon > Contact Support, and open a support ticket.

Endpoint Inventory - Enable TrendAI Vision One™ capabilities
Data Collected	Command line File name File owner File signer Host name IP address Process owner Registry data User name URL Windows event log
Console Location	To enable: Endpoint Inventory > Available endpoints tab > [select endpoint] > Enable To Disable: Endpoint Inventory > Reporting to SecOps tab > [select endpoint] > Disable

The user ID and user account are used for user behavior tracking and auditing. The company ID identifies which company this customer belongs to.

Endpoint Security Policies
Data Collected	User ID User Account Company ID
Console Location	Security Policies > Endpoint
Console Settings	Endpoint

SecOps Portal

To see where this data is processed, refer to our list of data centers and authorized data subprocessors and their locations.

SecOps Portal Log On (First Time)
Description	SecOps Portal use these information for customer log on and data display on portal.
Data Transmitted to Trend Micro	Contact Name Account ID Email Address CLP company ID Company Name Country/Region Display name Credit Create Time Credit Expiration Time Credit Stock Id Credit Stock Type Entitlement Start Time Entitlement End Time Entitlement ID Entitlement Source
Feature Configuration Location

SecOps Portal Alert Notification
Description	SecOps Portal UI use this information to let customer can receive alert notification by email
Data Transmitted to Trend Micro	Email address Webhook URL
Feature Configuration Location

SecOps Portal Product Connector
Description	SecOps Portal use this information to detect product connection status and display on portal
Data Transmitted to Trend Micro	Device ID
Feature Configuration Location

SecOps Portal UI Pendo
Description	SecOps Portal UI analysis customer behavior for product usage and product enhancements
Data Transmitted to Trend Micro	IP address, User Behavior User Agent Browser Name Browser Version Account ID CLP CompanyID
Feature Configuration Location

SecOps Portal UI Pendo Feedback
Description	When customers submit feedback through the Pendo Feedback tool, their email address is sent to product managers so the product managers can respond to and acknowledge the customer's submission. When feedback is actioned, the product manager will update the customer using the email associated with the feature / enhancement request in the Pendo feedback tool.
Data Transmitted to Trend Micro	Email Address

Security Assessment Service

TrendAI Vision One™ Security Assessment Service
Data Collected & Console Location	TrendAI Vision One™ Security Assessment Service includes some modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information, instructions to opt-out of the personal data collection, as well as modules that cannot be disabled are provided in this article: TrendAI Vision One™ Security Assessment Service Data Collection Notice.

Cyber Risk Exposure Management

TrendAI Vision One™ SecOps Sensors

Endpoint Sensor
Description	Data from Endpoint Sensors installed and enabled throughout your network give you visibility into endpoint user activities, public cloud app access, and endpoint vulnerabilities.
Data Collected	Endpoint name Logon username User principal name Logon user domain IP addresses MAC address Suspicious file path Suspicious file name Suspicious file hash URL OS name OS version OS build number OS patch level OS SKU Agent ID Installed software name Installed software version Software installation path Software patch information
Console Location	Cyber Risk Overview App > Data source configuration > Endpoint Sensor > Endpoint Inventory

Email Sensor
Description	Data from Email Sensor gives you insight into email activities in monitored Microsoft 365 Exchange Online and Gmail mailboxes.
Data Collected	Event time User principal name Domain name SAM account name URL Email attachment information Email meta information
Console Location	Cyber Risk Overview App > Data source configuration > TrendAI Vision One™ Email Sensor > Email Inventory

Network Sensor
Description	Data from Virtual Network Sensors / TippingPoint Network Sensors deployed in your network environment gives you visibility into detailed network activity as well as unmanaged or unknown assets connected to your network.
Data Collected	Device GUID Host name Source IP Source port Destination IP Destination port Endpoint IP Peer IP File path File name Username Sender email address
Console Location	Cyber Risk Overview App > Data source configuration > Network Sensor > Network Inventory

TrendAI Security Services

Security Agents
Description	Data from security agents installed throughout your network give you visibility into endpoint user activities, web activities, public cloud app access, security settings, and threat detections.
Data Collected	Endpoint name Logon username User principal name Logon user domain IP addresses MAC address Suspicious file path Suspicious file name Suspicious file hash URL OS name OS version OS build number OS patch level OS SKU Agent ID Installed software name Installed software version Software installation path Software patch information Product configuration
Console Location	Cyber Risk Overview App > Data source configuration > Standard Endpoint Protection > Product Instance Cyber Risk Overview App > Data source configuration > Server & Workload Protection > Product Instance Cyber Risk Overview App > Data source configuration > Apex One as a Service > Product Instance Cyber Risk Overview App > Data source configuration > Apex One > Product Instance Cyber Risk Overview App > Data source configuration > Endpoint & Workload Security > Product Instance Cyber Risk Overview App > Data source configuration > Deep Security > Product Instance

Cloud Email and Collaboration Protection
Description	Data from Cloud Email and Collaboration Protection provides information on detected threats and security settings on monitored Google Gmail and Office 365 apps.
Data Collected	Please refer to: TrendAI Vision One™™ - Email and Collaboration Security Data Collection Notice
Console Location	Cyber Risk Overview App > Data source configuration > Cloud Email and Collaboration Protection > Product Instance

Cloud Email Gateway Protection
Description	Data from Cloud Email Gateway Protection gives you information on email activities, email security settings, and detected threats on monitored email gateways.
Data Collected	Please refer to: TrendAI Vision One™™ - Email and Collaboration Security Data Collection Notice
Console Location	Cyber Risk Overview App > Data source configuration > Cloud Email Gateway Protection > Product Instance

Cloud One - Conformity
Description	Data from Cloud One - Conformity gives you instant visibility into compliance and security best practice violations on your public cloud infrastructure.
Data Collected	Provider Region Resource name Resource type Service name Service category Create date Last modified date Configuration message
Console Location	Cyber Risk Overview App > Data source configuration > Cloud One - Conformity > Data upload permission > Off

Deep Discovery Inspector
Description	Data from Deep Discovery Inspector and Network Sensor on Deep Discovery Inspector gives you visibility into targeted attacks, advanced threats, unmanaged devices on your network, and network configuration information as well as detailed network activity.
Data Collected	Device GUID Host name Source IP Source port Destination IP Destination port Endpoint IP Peer IP File path File name Username Sender email address
Console Location	Cyber Risk Overview App > Data source configuration > Deep Discovery Inspector > Network Inventory

Web Security
Description	Data from Web Security Web Sensors installed in your environment gives you visibility into web activities, threat detections, and web applications and websites accessed by managed users and devices inside and outside of your corporate network.
Data Collected	Username Department Device name User principal name AD domain URL accessed Browsing time
Console Location	Cyber Risk Overview App > Data source configuration > Web Security > Product Instance

Mobile Security
Description	Data from Mobile Security gives you insight into user activities, threat detections, risky mobile app use, and public cloud apps being accessed by managed devices.
Data Collected	Logon user User principal name IP address App name App package name Device hostname OS name URL
Console Location	Cyber Risk Overview App > Data source configuration > Mobile Security > Mobile Inventory

Container Security
Description	Data from Container Security gives you visibility into vulnerabilities, detected threats, and system configuration risks in your containers and images.
Data Collected	Kubernetes Service Information Cluster name Cluster description Cluster application version Service UID Resource name Namespace Create time Network type IP addresses Ports Kubernetes Pod Information Pod name Pod UID Namespace Create time Owners Dispatched IP Pod volumes Node name Labels Annotations ECS Service Information Cluster ARN Service ARN Service name Create time Network configuration Task definition ECS Task Information Service UID Cluster ARN Task group Task ARN Task description Task create time Task launch type Task tags Task container instance ARN Task definition Node Information Node name Node UID Node create time IP addresses OS Image Kernel version Container runtime version Kubernetes version Container Information Pod ID Container ID Container name Task ID Task GUID Task ARN Image ID Start command Environment variables Exposed ports Security context Mounted volumes Start time
Console Location	Cyber Risk Overview App > Data source configuration > Container Security > Container Inventory

Security Awareness
Description	Data from Phishing Simulations in Security Awareness gives you insight into breach events on risky user accounts reported in phishing simulations.
Data Collected	Campaign information Course information Training members Email Addresses
Console Location	Cyber Risk Overview App > Data source configuration > Security Awareness > Enable Phishing Simulations

Network Vulnerability Scanner
Description	Using a deployed Network Sensor or a Service Gateway with the Network Vulnerability Scanner service installed, Network Vulnerability Scanner discovers network infrastructure devices and scans for vulnerabilities in the discovered devices, accessible services, and specified assets.
Data Collected	Network device information IP addresses Ports Protocols Services TLS information
Console Location	Cyber Risk Overview App > Data source configuration > Network Vulnerability Scanner > Configure scans in Network Vulnerability Scanner

TippingPoint Security Management System
Description	Data from TippingPoint Security Management System (SMS) gives you visibility into network activity, network-related detections, and filter rule status.
Data Collected	Device GUID Host name Source IP Source port Destination IP Destination port CVE ID URL
Console Location	Cyber Risk Overview App > Data source configuration > TippingPoint Security Management System > Network Inventory

Zero Trust Secure Access - Private Access
Description	Data from Zero Trust Secure Access - Private Access allows for actionable analysis of user and device risk to detect threats and limit internal applications access to authorized personnel.
Data Collected	Event time Logon user User principal name User display name Event information OS name Endpoint GUID Host name External IP Endpoint IP
Console Location	Cyber Risk Overview App > Data source configuration > Zero Trust Secure Access - Private Access > Zero Trust Secure Access

Zero Trust Secure Access - Internet Access
Description	Data from Zero Trust Secure Access - Internet Access and AI Service Access allows for actionable analysis of user access to web applications outside your corporate network to detect potential threats.
Data Collected	Event time Identity ID Username User principal name Payload size Body size Access duration AD domain Department Request URL URL category Device name Action Malware type Malware name Profile name App ID App name App category Location
Console Location	Cyber Risk Overview App > Data source configuration > Zero Trust Secure Access - Internet Access > Zero Trust Secure Access

THIRD-PARTY DATA SOURCES

Microsoft Entra ID
Description	Data from Microsoft Entra ID data gives you visibility into user and device profiles, user and device behaviors, user public cloud app access, and potential account compromise events or misconfigurations.
Data Collected	User information User ID User display name User principal name IP address Groups Location (city, state , country) Email address Job title Department Given name Surname Email nickname IM addresses Last password change datetime Applications being used App ID App display name Client app used Sign-in logs Sign-in initiated time Device detail (Browser and OS) Location Status Conditional access status Correlation ID Risk state Risk detail Risk level aggregated Risk level during sign-in Risk event types Resource display name Resource ID
Console Location	Cyber Risk Overview App > Data source configuration > Microsoft Entra ID > Manage permissions and integration settings in Third-Party Integration

Active Directory (on-premises)
Description	Data from Active Directory (on-premises) gives you visibility into your internal user accounts and devices.
Data Collected	User information Canonical name Username SAM account name User principal name User display name Description Distinguished name Given name Surname Email address Company name Department Job title SID Account enabled Domain Direct parent group All parent groups Usage location Last password change time Group information Canonical name Description Distinguished name Member SAM account name Display name Email address Direct parent group All parent groups Direct members All members Computer information Canonical name Distinguished name Country code Display name Description SAM account name DNS host name Bad password time Bad password count Last logon Last logoff Logon count OS Service principal name Direct parent group All parent groups Event log Timestamp Agent ID System event ID System time created System security System computer IP address IP port Logon type Member SID New UAC value Old UAC value Password last set Primary group ID Privilege list Process ID Process name Service name Service SID Status Sub-status Subject domain name Subject logon ID Subject username Subject user SID Target domain name Target linked logon ID Target logon ID Target SID Target username Target user SID Virtual account Workstation Workstation name
Console Location	Cyber Risk Overview App > Data source configuration > Active Directory (on-premises) > Configure Active Directory in Third Party Integration

Nessus Pro Tenable Security Center
Description	Data from Nessus Pro or Tenable Security Center (formerly Tenable.sc) gives you insight into on-premises device information and CVE detections in operating systems and applications.
Data Collected	Host FQDN NetBIOS name BIOS UUID Workgroup Host name Device OS Logon user IP address MAC address CVE ID
Console Location	Cyber Risk Overview App > Data source configuration > Nessus Pro > Configure Nessus Pro in Third Party Integration Cyber Risk Overview App > Data source configuration > Tenable Security Center > Configure integration settings in Third-Party Integration

Microsoft 365
Description	Data from Microsoft 365 gives you access to app metadata, system configuration information, usage data, and activity data. Collected data contributes to system misconfiguration and compliance checks, Microsoft 365 app usage reports, and reports on behavior that contributes to user risk analyses. Accessed apps include: OneDrive SharePoint Outlook Teams
Data Collected	Microsoft 365 configuration for OneDrive SharePoint Outlook Teams OneDrive activity report Report refresh date User principal name Deleted Deleted date Last activity date Files viewed or edited (count) Files synced (count) Files shared internally (count) Files shared externally (count) Products assigned Report period OneDrive usage report Report refresh date Site URL Owner username Owner principal name Deleted Last activity date Files (count) Active files (count) Storage used (Byte) Storage allocated (Byte) Report period SharePoint activity report Report refresh date User principal name Deleted Deleted date Last activity date Files viewed or edited (count) Files synced (count) Files shared internally (count) Files shared externally (count) Pages visited (count) Products assigned Report period SharePoint site usage report Report refresh date Site ID Site URL Site owner username Site owner principal name Deleted Last activity date Files (count) Active files (count) Page views (count) Page visited (count) Storage used (Byte) Storage allocated (Byte) Root web template Report period Outlook email app usage report Report refresh date User principal name Display Name Deleted Deleted date Last activity date Outlook (Mac) Outlook (Windows) Outlook (Mobile) Mobile Outlook on the web POP3 app IMAP4 app SMTP app Report period Mailbox usage report Report refresh date User principal name Display name Deleted Deleted date Created date Last activity date Item count Storage used (Byte) Issue warning quota (Byte) Prohibit send quota (Byte) Prohibit send/receive quota (Byte) Deleted Item Count Deleted Item Size (Byte) Report period Email activity report Report refresh date User principal name Display name Deleted Deleted date Last activity date Send actions (count) Receive actions (count) Read actions (count) Products assigned Report period Microsoft Teams user activity report Report refresh date User principal name Last activity date Deleted Deleted date Products assigned Channel messages (count) Chat messages (count) 1:1 calls (count) Total meetings (count) Other activity Report period
Console Location	Cyber Risk Overview App > Data source configuration > Microsoft 365 > Manage Entra ID permissions and integration settings in Third-Party Integration

OKTA
Description	Data from Okta gives you visibility into user profiles and behavior, and user public cloud app and device usage.
Data Collected	User information User ID User display name User principal name Location (country, state, city) Job title Email address User type Company name Department Given name Surname Nickname Group Second email address Account create datetime Last password change datetime Sign-in logs Sign-in event time User principal name Endpoint IP address Request URI Device OS Device browser User ID User display name Location (country, state, city, postcode, geolocation) Sign-in status
Console Location	Cyber Risk Overview App > Data source configuration > Okta > Configure Okta integration settings in Third-Party Integration

Open LDAP
Description	Active Directory data from your OpenLDAP server gives you visibility into your internal user accounts.
Data Collected	User information UUID CSN DN CN Display name Domain name Surname Given name Mail GECOS GID number UID UID number Home directory Login shell Direct parent group All parent group Group information UUID CSN DN CN Domain name Direct members All members
Console Location	Cyber Risk Overview App > Data source configuration > OpenLDAP > Configure OpenLDAP integration settings in Third-Party Integration

Qualys
Description	Data from Qualys gives you visibility into additional CVE detections on managed devices along with detailed asset profile information.
Data Collected	Hostname Host ID Device OS Logon users Last logon user IP address MAC address Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Qualys > Data upload permission > Off

Rapid 7 - InsightVM / Nexpose
Description	Data from Rapid7 gives you visibility into additional CVE detections on managed devices, along with detailed asset profile information.
Data Collected	ID IP address MAC address Hostname OS Services Software installed Users User groups Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Rapid7 - InsightVM > Data upload permission > Off Cyber Risk Overview App > Data source configuration > Rapid7 - Nexpose > Configure integration settings in Third-Party Integration

Splunk - Network Firewall / Web Gateway Logs
Description	The Cyber Risk Exposure Management for Splunk app provides website access log data to TrendAI Vision One™, giving you insight into user public cloud application access based on firewall and web gateway activity.
Data Collected	Event time Source IP address Hostname: from where the event is initiated Website: the URL Count: aggregated times of the access Username: user who initiates the event
Console Location	Cyber Risk Overview App > Data source configuration > Splunk - Network Firewall / Web Gateway Logs > Configuration Guide

Tenable Vulnerability Management
Description	Data from Tenable Vulnerability Management gives you visibility into additional CVE detections on managed devices, along with detailed asset profile information.
Data Collected	ID Agent UUID Agent names Software installed IP address MAC address OS Hostname Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Tenable Vulnerability Management > Data upload permission > Off

Tanium Comply
Description	Data from Tanium Comply gives you visibility into additional CVE detections on managed devices along with detailed asset profile information.
Data Collected	Endpoint name Domain name IP address MAC address OS Last logon user Software installed Vulnerability list
Console Location	Cyber Risk Overview App > Data source configuration > Tanium Comply > Data upload permission > Off

Internet Facing Assets Rescana
Description	Data gives you visibility into your organization’s internet-facing assets, including application vulnerabilities and system misconfigurations, allowing you to manage your external attack surface.
Data Collected	Domain Hostname IP Tags: categories of asset Running services OS ISP Cloud provider Geolocation SSL CPE: version of applications on assets Vulnerability list
Cyber Risk Overview	Attack Surface Discovery App > Internet Facing Assets > Domain / Public IP > Remove Cyber Risk Overview App > Data source configuration > Rescana > Data Upload > Off

Claroty xDome
Description	Data from Claroty xDome gives you visibility into additional CVE detections on managed devices along with detailed asset profile information.
Data Collected	Device ID Risk score OS category Labels Device type family Vulnerability list MAC address list Device subcategory Assignees Network list Model Device type Device category IP address list
Console Location	Cyber Risk Overview App > Data source configuration > Claroty xDome > Data upload permission > Off

Salesforce
Description	Data from Salesforce gives you access to metadata and information on system misconfigurations for use in compliance and risk assessments.
Data Collected	Tenant ID Tenant name Tenant description URL Contact information Location Security settings
Console Location	Cyber Risk Overview App > Data source configuration > Salesforce > Configure integration settings in Third-Party Integration

Github
Description	By installing and enabling TrendAI Vision One™ SSPM, you grant Trend Micro permission to access your GitHub organization metadata and information on system misconfigurations for use in compliance and risk assessments.
Data Collected	Organization ID Organization name Organization login Organization URL Organization type Security settings Member information Repository information
Console Location	Cyber Risk Overview App > Data source configuration > GitHub > Configure GitHub integration settings in Third-Party Integration

Greenbone
Description	Data from Greenbone gives you insight into on-premises device information and CVE detections in operating systems and applications.
Data Collected	Operating systems containing CVEs Applications containing CVEs
Console Location	Cyber Risk Overview App > Data source configuration > Greenbone > Configure integration settings in Third-Party Integration

Google Cloud Identity
Description	Data from Google Cloud Identity gives you visibility into user profiles, user and group behaviors, and account misconfigurations.
Data Collected	Please refer to https://success.trendmicro.com/en-us/solution/ka-0015569
Console Location	Cyber Risk Overview App > Data source configuration > Google Cloud Identity > Configuration guide

CyberArk
Description	Data from CyberArk gives you visibility into user details, user behaviors, and potential user account misconfiguration.
Data Collected	User information Display Name Email Last Invite Last Login Status Organization User ID User type Login Name Applications being used App ID Device Application Name Version Managed App Status Mobile App Type Identifier Risk event User ID Username Event ID Event type Risk score Risk level Risk reason
Console Location	Cyber Risk Overview App > Data source configuration > CyberArk > Configure CyberArk and grant the required permissions in Third-Party Integration

Nazomi Vantage
Description	Data from Nozomi Vantage gives you visibility into OT and IoT network asset information, CVE detections, and alerts that contribute to risk analysis.
Data Collected	Assets ID Name IP MAC address Vendor Type OS Alerts ID Name Description Severity MAC address IP Risk Protocol Port Vulnerabilities ID Asset ID Score CVE Software list
Console Location	Cyber Risk Overview App > Data source configuration > Nozomi Vantage > Configure integration settings in Third-Party Integration

SentinelOne Singularity
Description	Data from SentinelOne Singularity gives you visibility into data from your SentinelOne Singularity-managed endpoints, including device context, misconfigurations, and CVE detections.
Data Collected	Devices ID Name Internal IP OS Family MAC address Risk Events ID Name Description Severity Status Classification Confidence level Attack techniques Asset information Process information Assignee Analytics Vulnerabilities CVE information Software information Asset information Workflow & Assignment
Console Location	Cyber Risk Overview App > Data source configuration > SentinelOne Singularity > Configure integration settings in Third-Party Integration

ServiceNow CMDB
Description	Data from ServiceNow Configuration Management Database (CMDB) gives you increased visibility into the relationships between and attributes of devices within your organization's infrastructure.
Data Collected	Computer Server Application Database Instance Storage Server Storage Device IP Address IP Firewall CI Relationship
Console Location	Cyber Risk Overview App > Data source configuration > ServiceNow CMDB > Configure integration settings in Third-Party Integration

Sandbox Analysis App

Users can disable data collection by disabling submissions.

Data Collected	Data transmitted relates to user submitted object. File Name File Content Archive file password File password Command line arguments URL
Console Location	THREAT INTELLIGENCE > Sandbox Analysis > Submission Settings To enable: Set the daily reserve value to anything between 1 and 10,000. To disable: Set the daily reserve value to 0. ^{Click the image to enlarge.}

Network

TrendAI Vision One™ Virtual Network Sensor
Data Collected & Console Location	TrendAI Vision One™ Virtual Network Sensor includes some modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information, instructions to opt-out of the personal data collection, as well as modules that cannot be disabled are provided in this article: TrendAI Vision One™ Virtual Network Sensor Data Collection Notice.

Service Gateway

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, it will provide the appliance related information back to TrendAI Vision One™. Customers can disconnect/delete this appliance to disable it via TrendAI Vision One™ Service Gateway Management.
Data Collected	Hostname IP address MAC address DNS Customer proxy NTP Server DISK usage CPU usage Memory usage Network throughput Product name of connected devices Connections summary
Console Location	Workflow and Automation > Service Gateway Management
Console Settings

Service Configuration

Service Configuration In Service Gateway
Description	Service Gateway Management opens the service configuration API to service owner, and the detailed configurations are different from service to service.
Data Collected	Specified by the service owner which registers and stores the configuration in Service Gateway.
Console Location	Workflow and Automation > Service Gateway Management > Appliance > Manage Services
Console Settings

Local Active Update Service

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, and enables Active Update service, SG will provide connected product status.
Data Collected	AU URL Specified by the customer the Trend Micro product AU URL and service gateway local AU URL.
Console Location	Workflow and Automation > Service Gateway Management > Appliance, in the Installed Services table, choose ActiveUpdate Service, and then click the "Settings" button

Forward Proxy Service

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, and enables forward proxy service, SG will provide connected product status
Data Collected	Product Status The Trend Micro product name connected to SG and connect time
Console Location	Workflow and Automation > Service Gateway Management > Connected Products/Servers

Smart Protection Service

Service Gateway Management
Description	When the Service Gateway appliance is registered to TrendAI Vision One™/Service Gateway Management, and enables Smart Protection Service, SG will provide connected product status.
Data Collected	Product Status The Trend Micro product name is connected to SG and connect time
Console Location	Workflow and Automation > Service Gateway Management > Connected Products/Servers

SecOps for Cloud

Cloud Detections for AWS CloudTrail
Description	This information is used to analyze threats to customers' AWS account activity.
Data Collected	AWS account ID AWS CloudTrail configuration AWS CloudTrail events
Console Location	This feature cannot be disabled.

Data Security

Data Posture

Data Collected	AWS Account ID AWS Macie Configuration AWS Macie Custom Data Identifier AWS S3 Bucket Name AWS S3 Bucket Meta Data
Console Location	Login to TrendAI Vision One™ Portal > Service Management > Cloud Accounts ^{Click the image to enlarge.}

Data Policy

Define the data policy for network location where the sensitive files are, and Data Detection and Response sensor will base on the policy to track all sensitive files on the endpoint.

Data Collected	Network URI
Console Location	TrendAI Vision One™ > Data Security > Data Policy
Console Settings	Turn on or off by switching the toggle.

Data Inventory

Display what sensitive files resided in the endpoint and offer the ability of filter what user interested by asset type, matched policy, file extensions etc.

Data Collected	Endpoint GUID Host name Username IP address URL File name & full path Windows event log
Console Location	TrendAI Vision One™ > Data Security > Data Inventory > All files TrendAI Vision One™ > Data Security > Data Inventory > Local devices
Console Settings	In TrendAI Vision One™ > Endpoint Security > Endpoint Security Policy: Modify the existing policy or add policy. In sensor setting, turn on the Endpoint sensor detection and response. Data Detection and Response sensor will be shown as follow.

IR Platform

IR Toolkit
Description	Forensics App will deploy the IR Toolkit which has Command Line Interface for data collection, encryption and upload to cloud through Internet.
Data Transmitted to Trend Micro	Master File Table (File metadata) Basic Info (OS info, Hardware Information) Host Process Information Network Active Connection Network Information AutoStartUp Information Background Service Task scheduler information Application/service Log System Log (Amcache, Shimcache) Account Information User Activity (Shellbag, Browser History) Event Log Microsoft Windows Registry
Feature Configuration Location	TrendAI Vision One™ Menu > XDR > Forensics

TrendAI Vision One™ Data Center Locations

Region/Country of Purchase	Data Center Location for Microsoft Azure ^{Future Site for new Customers}*	Data Center Location for AWS ^{Future Site for new Customers}*
USA	East US - N. Virginia	East US - N. Virginia
Canada	Canada Central	Canada Central
EU	West Europe - Netherlands	Frankfurt, Germany
Japan	Tokyo, Japan	Tokyo, Japan
SG	Singapore	Singapore
ANZ	Australia Central *Canberra, Australia	Sydney, Australia
India	Mumbai	Mumbai
Middle East and Africa	UAE	UAE
UK	UK South	London

Was this article helpful?