Version: 25.06

Document Tags Configuration

The content inspection engine must be configured to look for each custom tag you wish to identify.

To configure custom tags you want Cyberhaven to read,

1. Go to Preferences -> Content matching rules -> Document Tags and click on the Add New Tag button. A new row is added at the bottom of the table.

2. Enter a name to identify the tag. This name will be displayed in the Events tab of the Risks Overview page when a file matches the tag.

3. Choose whether you want to perform an exact match or regular expression match.

4. Select whether you want to perform the tag match as case sensitive or case insensitive.

5. Enter the string or regular expression pattern of your tag.

6. Click Save.

Now Cyberhaven can identify files that match the custom tag.

To search for custom-tagged documents, use the "Document tags" condition in your search criteria.

To delete an existing custom tag, mouse over the right side of the tag you want to delete and click on .

Change Log

Updated on 02/11/2025: Updated screenshot.

Optical Character Recognition

Optical Character Recognition (OCR) is a feature integrated with Cyberhaven’s Advanced Content Inspection license and is automatically enabled when you purchase the license. This feature does not require additional configuration.

OCR allows Cyberhaven to analyze and inspect the text within image files and scanned documents for sensitive information. With OCR enabled, Cyberhaven utilizes this capability in all content inspection scenarios and returns results for images and documents.

Prerequisites

OCR can be performed on files ranging in size from a minimum of 50 bytes to a maximum of 25 MB.

Supported File Types

The following file types are supported for OCR.

PNG

JPEG

TIFF

JPEG 2000

GIF

WebP

BMP

PNM

PDF

Content Capture

Content Capture offers an Administrator the option to retain files and other user data in a customer-owned, cloud data store, for the purpose of investigating incidents. Cyberhaven does not store any copies of customer data or images.

The Content Capture feature works in conjunction with Content Inspection, which automatically captures and records metadata surrounding users’ data interactions. Content Inspection evaluates the file content and tags for policy matches. The Endpoint and Cloud Sensors send the file with the content to Cyberhaven's backend for inspection which generates metadata related to the content usage. This metadata includes attributes such as source, destination, file path, hash value, file size, and content inspection attribute matches. Cyberhaven's backend then sends a copy of the content to a storage destination that is controlled and managed by the customer. After the data is copied to the customer-controlled storage destination, the data is immediately purged.

The Content Capture feature allows customers to retain copies of event-related files and screenshots in the storage destination of their choice, which is linked and cross-referenced with the Event/Incident metadata available in the Cyberhaven Console.

View the captured content

In the following example screenshot, a warning event was generated by a policy to monitor the printing of "EmployeeData2022.xlxs". After inspecting the content, Cyberhaven created two files, a copy of "EmployeeData2022.xlxs" and a report

highlighting the exact content that matched the policy. The copy of "EmployeeData2022.xlxs" and the report were then uploaded to the destination repository, in this case, an S3 bucket. The links to the files in the S3 bucket are included in the event details.

The download under Content takes you to the location in the S3 bucket where the copy of "EmployeeData2022.xlxs" file resides.

The download under Content report takes you to the location in the S3 bucket where the report highlighting the sensitive content in "EmployeeData2022.xlxs" resides.

If Cyberhaven has Read access to the destination repository, then you can view the content report in the event details of the Risks Overview page. Click on the content attribute count and then click the Show Values tab.

If Cyberhaven has Write-only access to the destination repository, then only a link to the report file is available in the event details.

This feature is supported to work with AWS S3, Azure Blob Storage, and GCP Cloud Storage. You can configure the storage bucket with write-only or read/write permissions to be the destination repository for the captured content.

Watch a video on content capture.

Click here to download a video

Read more about the user actions that trigger Content Capture. Coverage for Tags Inspection, Content Inspection, and Content Capture

Screenshot Recording

In addition to Content Capture, Cyberhaven can optionally be configured to record screenshots. When the Record screenshots feature is enabled, the Endpoint Sensor can capture a series of screenshots of the user's screen for 30 seconds after a Policy violation occurs. All screenshots captured by the Sensor are relayed via the Cyberhaven backend to the same destination repository configured for Content Capture. Screenshots are only generated based on individual Policy definitions. Cyberhaven administrators can view screenshots directly in the Cyberhaven Console by clicking on View User's Screen Snapshots in the incident details.

Read more about the Record screenshots feature. Record Screenshots (EA) Watch a video on recording screenshots.

Click here to download a video

AWS S3 as a Content Capture Destination

The Endpoint Sensor and Cloud Sensor require a destination repository to upload the copy of the data created after inspection. You can choose an S3 bucket as your content capture destination and set up role-based access to control permissions to the S3 bucket.

Cyberhaven requires the following permissions to access the S3 bucket.

Write (Mandatory) - To upload the captured content to the S3 bucket. Read (Optional) - To enable you to read the content report in the Risks Overview dashboard.

Configure AWS S3 as a Content Capture Destination

The configuration process involves the following steps.

1. Create an S3 bucket to upload the captured content.

2. Create role-based access for Cyberhaven.

3. Create an IAM policy with Write or Read permissions.

4. Attach the IAM policy to the new role.

5. Configure the S3 bucket in the Cyberhaven UI.

1. Create an S3 bucket to upload the captured content

Cyberhaven recommends that you create a new S3 bucket to store the captured content.

1. Log into your AWS Management Console using an admin account, create a new bucket and enter the name and region for the bucket.

2. Keep the default selection under Object Ownership; that is, ACLs disabled (Recommended).

3. Block all public access (public access is disabled by default).

4. Depending on your requirement, you can choose to enable or disable Bucket Versioning. The default is set to Disable.

5. Keep the default selections under Default encryption; that is, the Encryption key type is Amazon S3 managed keys (SSE

S3) and Bucket Key is Enable.

6. Under Advanced settings, enable Object Lock. After enabling, check the box to acknowledge the warning message below. This setting will protect uploaded objects from being overwritten.

7. Optionally, you can configure additional bucket settings as needed. 8. Scroll to the bottom of the page and click Create bucket.

9. Copy the ARN of the bucket to a notepad. You will need the bucket ARN when defining an IAM policy with permissions to the bucket. See, 3. Create an IAM policy with Write permissions.

2. Create role-based access for Cyberhaven

Cyberheaven must establish a trusted relationship with the AWS account before it can access the S3 bucket.

To establish a trusted relationship, you must create a new IAM role in the AWS Management Console and provide Cyberhaven's custom trust policy.

The setup requires you to do the following:

i. Copy the Custom trust policy from the Cyberhaven UI.

ii. Create a new IAM role for Cyberhaven.

i. Copy AWS "Custom trust policy" from the Cyberhaven UI

Cyberhaven provides a custom trust policy with the Account ID and External ID that can be copied into your AWS Management Console.

1. Log into the Cyberhaven UI and navigate to Preferences > External Storage.

2. Click on New bucket and select AWS as the Bucket type. Cyberhaven generates a unique external ID along with the account ID.

3. Copy the JSON trust policy in the AWS "Custom trust policy" section to a notepad.

ii. Create a new IAM role for Cyberhaven

Create a new IAM role and paste the AWS "Custom trust policy" from the Cyberhaven UI.

1. In the AWS Management Console, navigate to Identity and Access Management (IAM) and select Roles > Create role.

2. Select the role type as Custom trust policy.

3. In the JSON code of the Custom trust policy section, paste the AWS "Custom trust policy" you copied from the Cyberhaven UI. See, 2.i. Copy AWS "Custom trust policy" from the Cyberhaven UI.

The trust relationship looks like the example in the following image.

4. Click Next on the Select trusted entity page.

5. Click Next on the Add permissions page. In the next section, you will create a new policy with the required permissions and attach the policy to this role. See,

a. 3. Create an IAM policy with Write permissions.

b. 4. Attach the IAM policy to the new role.

6. On the Name, review, and create page, enter a role name and description. 7. Click Create role.

3. Create an IAM policy with Write or Read permissions

Create a new IAM policy with permissions to write or, read and write to the S3 bucket.

1. In the AWS Management Console, navigate to Identity and Access Management (IAM) and select Policies > Create policy.

2. On the Create policy page, select the JSON tab and paste the following JSON policy.

If you want to limit Cyberhaven's permissions to write access only, then specify the s3:PutObject action:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cyberhaven-upload/*"
    }
  ]
}

If you want to provide Cyberhaven write and read access to the bucket, then include s3:GetObject action as shown in the JSON policy below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::cyberhaven-upload/*"
    }
  ]
}

More about why Cyberhaven needs read permissions: Read access.

3. Replace the "Resource": in the JSON policy with the bucket ARN you copied at the end of the first procedure. See, 1. Create an S3 bucket to upload the captured content.

4. Click Next: Tags. Optionally add tags to help you identify this policy. 5. Click Next: Review.

6. Enter a policy name and description. Then click Create policy. 4. Attach the IAM policy to the new role 1. In the AWS Management Console, navigate to Identity and Access Management (IAM) and select Roles.

2. On the Roles page, search for the role you created for Cyberhaven in the second procedure. See, 2.ii. Create a new IAM role for Cyberhaven. 3. Select the role. On the role page, click on Add permissions > Attach policies.

4. On the Attach policy page, search for the IAM policy you created in the third procedure. See, 3. Create an IAM policy with Write permissions. 5. Select the policy and click Add permissions.

6. On the role page, copy the Role ARN to a notepad. You will need to provide this value in the Cyberhaven UI.

5. Configure the S3 bucket in the Cyberhaven UI

1. In the Cyberhaven UI, on the new AWS bucket setup page, enter the following information.

Title to identify the S3 bucket. For example, Incident Data Storage .

Description that provides details such as the purpose of setting up the S3 bucket. For example, AWS bucket to store incident related data captured by Cyberhaven .

Bucket name copied at the end of the first procedure. For example, cyberhaven-upload .

Bucket region where the bucket was created. For example, copy us-east-1 from US East (N. Virginia) us-east-1 .

Role arn copied at the end of the previous procedure. Role ARN should be provided in the following format.

None	Copy
arn:aws:iam::YOUR_ACCOUNT_ID:role/THE_ROLE_YOU_DEFINED

2. Select Enabled to enable the connection. Only one bucket can be enabled at a time.

3. Select Can read to enable Cyberhaven to read from the bucket. This option is only applicable if your IAM policy includes Read permissions. 4. Verify the configuration using the Test Connection button. 5. Click Finish Setup.

Read access

If you want to allow Cyberhaven to have read access, you must add s3:GetObject. However, be aware that this permission needs further validation from your AWS and data security teams since it allows Cyberhaven to have read access to the bucket. The main difference when adding read access from the point of view of the Cyberhaven product is mostly cosmetic -- you will be able to preview the content inspection match report in the Cyberhaven dashboard instead of having to go to your AWS S3 console. For screenshot capture (which was released as EAfor Windows in 22.07 and is an optional feature), having read access to the bucket allows Cyberhaven to display the incident screenshots inside the Cyberhaven dashboard instead of visualizing them in your S3 bucket. Thus, read access is a nice-to-have feature, but certainly optional and comes with additional security implications for the stored content.

Summary of the permissions

After you configure the S3 bucket for Content Capture,

1. Cyberhaven will only have Write access to a single bucket that you own and control.

2. If you configured read access as well, then you will have the option to see the report in the Cyberhaven dashboard - in this case, Cyberhaven will have credentials to read the data in the bucket.

3. No other AWS account other than the owner of the bucket is allowed to access the bucket. Although, you can grant access to other AWS users. 4. In particular, the security team investigating incidents detected by Cyberhaven will need read access to this bucket.

5. In the Cyberhaven dashboard, a link will be available in the form of the following example.

https://cyberhaven-upload.s3.amazonaws.com/\<filename\>

6. The above link is only accessible for reading to the AWS accounts enabled by the Cyberhaven customer. Cyberhaven will not have access to read any content in this bucket or any other bucket in your AWS environment.

Migrate from the legacy AWS S3

configuration

If you configured an AWS S3 bucket before Cyberhaven backend version v23.01, the configuration will appears as an AWS Legacy configuration.

We recommend redoing the bucket configuration for better compatibility and also some additional features. The new features are the ability to configure content storage without the intervention of Cyberhaven support. Moreover, you will also

gain the ability to test the connection. Fortunately, the migration procedure is simple. Please follow the instructions below:

Migration

1. You can reuse the existing bucket you already configured in your AWS

2. Go the Cyberhaven dashboard -> Settings -> External Storage and

change your existing legacy bucket -> change the type to AWS. This will generate the configuration for the custom trust policy to attach to the bucket.

a. If the legacy AWS bucket was using role-based configuration, simply reuse same configuration settings. You should only need to update the Trust relationship on the AWS side: attach the new

trust policy by going to the AWS console and attach the

Cybehaven trust policy the Cyberhaven role that you’ve created before. Follow this guide on how to add trust policy

https://docs.cyberhaven.io/docs/configure-aws-s3-as-a-contentcapture-destination#ii-create-a-new-iam-role-for-cyberhaven

b. If you had previously set up a user-based configuration, then please switch to a role-based configuration, follow Step 2 from the guide Create role-based access for Cyberhaven.

3. Once you are done click test connection to verify that everything works and hit "Save".

Azure Blob Storage as a Content Capture Destination

You can configure Azure Blob storage as the destination for Cyberhaven to upload a copy of the content captured after inspection such as event-related files and screenshots.

Cyberhaven requires the following permissions to access the blob storage.

Write (Mandatory) - To upload the captured content to the blob storage. Read (Optional) - To enable you to read the content report in the Risks Overview dashboard.

Cyberhaven requires the following Azure field values to store the content.

Subscription ID and Resource group to generate a URL to the captured content.

Tenant ID, Storage account name, and Container name to identify and connect to the blob storage.

Client secret and Client ID to authenticate and access the blob storage.

Configure Azure Blob Storage as a Content Capture Destination

The process of configuring Microsoft Azure as a content capture destination involves the following steps.

1. Register Cyberhaven as an Entra ID application and copy the Application (client) ID and Directory (tenant) ID to a notepad. 2. Create a Client secret for the Entra ID application and copy the client secret key Value to a notepad.

3. Assign permissions to the Azure subscription. Copy the Subscription ID to a notepad.

4. Configure the Bob storage in your Cyberhaven tenant after you copy the Storage account name, Resource group, and Name of the container from the Azure portal to a notepad.

1. Register Cyberhaven as an Entra ID Application

To register Cyberhaven as an Entra ID Application, follow the steps below.

1. Log in to the Microsoft Azure portal and search for Microsoft Entra ID and click on it. The overview page of the default Active Directory for your organization is displayed.

2. On the left navigation bar, under Manage, click on App

registrations.

3. Click on New registration. In the Register an application page, a. Enter a name for the Entra ID application.

b. Keep the default selection for supported account types

Accounts in this organizational directory only (Single

tenant).

c. Redirect URI is optional and must be left blank.

4. Click on Register.

5. From the new application's Overview page, copy the Application

(client) ID and Directory (tenant) ID to a notepad. You must provide this information in the Cyberhaven tenant.

2. Create an Entra ID Client secret

To create a Client secret, follow the steps below.

1. On the left navigation bar of the new Azure Entra ID application page, under Manage, click on Certificates & secrets.

2. Click on Client Secrets and then New client secret. In the Add a client secret pop-up window,

a. Enter a description for the Client secret.

b. Set the expiration time for this key. When this key expires, you must create a new secret key and update the key in the

Cyberhaven tenant.

3. Click Add. The new client secret is listed on the Certificates & secrets page.

4. Copy the Value to a notepad. You will require the Value (Client secret) in the Cyberhaven tenant.

NOTE

The secret key value is only displayed once. So, ensure that you copy the value immediately after the new client secret is created.

Click here to download a video

3. Assign permissions to the Azure subscription

Create a custom role with write-only or write & read permissions to Cyberhaven. Then assign the role to the Azure subscription that is linked to the Entra ID where you registered the new Entra ID application. See, procedure 1.

Alternatively, you can assign a Storage Blob Data Contributor role to the blob storage with read, write, and delete permissions to Cyberhaven. Read more about this built-in role in the Azure documentation here,

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-inroles#storage-blob-data-contributor.

To create a custom role, follow the steps below.

1. On the Azure portal home page, search for Subscriptions and click on it. The Subscriptions page lists all your subscriptions.

2. Click on the subscription that is linked to the Entra ID where you registered the new Entra ID application. The Overview page of the selected subscription is displayed.

3. Copy the Subscription ID to a notepad.

4. Create a JSON file with the permissions you want to provide to Cyberhaven. Open a new notepad and copy one of the following two script files.

Write-only permissions - Allows Cyberhaven to write to a specified Blob storage. Data actions can create files, rename, read, and write the metadata of the files.

{ "Name": "custom-write-role-cyberhaven", "Description": "Cyberhaven can write files with this role.", "Actions": \["Microsoft.Storage/storageAccounts/blobServices/cont ainers/write"\], "DataActions": \["Microsoft.Storage/storageAccounts/blobServices/cont ainers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/conta iners/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/conta iners/blobs/add/action" \], "NotDataActions": \[\], "AssignableScopes": \["/subscriptions/subscription-ID"\] }

Write & read permissions - Allows Cyberhaven to write to a specified Blob storage and read files in that storage. Data

actions can create files, rename, read, and write the metadata of the files.

{ "Name": "custom-role-cyberhaven", "Description": "Cyberhaven can write and read files with this role.", "Actions": \[ "Microsoft.Storage/storageAccounts/blobServices/co ntainers/read", "Microsoft.Storage/storageAccounts/blobServices/co ntainers/write" \], "NotActions": \[\], "DataActions": \[ "Microsoft.Storage/storageAccounts/blobServices/co ntainers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/co ntainers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/co ntainers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/co ntainers/blobs/add/action" \], "NotDataActions": \[\], "AssignableScopes": \["/subscriptions/subscription-ID"\] }

5. In the script, replace subscription-ID with the Subscription ID you copied in step 3 and save the file in .json format.

6. On the Microsoft Azure portal, click on the Cloud Shell icon on the top navigation bar. The Azure Cloud Shell window is displayed at the bottom half of the page.

7. Click on PowerShell. If you have no storage accounts for this subscription, you must click Create Storage.

8. On the PowerShell navigation bar, click the Manage files icon and then click Upload.

9. Upload the JSON file you created in step 1 of this procedure. The file is uploaded to your home directory.

10. At the PowerShell prompt, run the following command to create the custom role in Azure with the required permissions.

New-AzRoleDefinition -InputFile "cyberhaven.json"

Now assign the role to the subscription. See the following procedure. To assign a custom role, follow the steps below.

1. On the left navigation bar of the subscription, click on Access control (IAM). Then click Add > Add role assignment.

2. On the Add role assignment page, select the role you created i.e., custom-role-cyberhaven . Click Next.

3. Under the Assign access to, keep the default selection User, group, or service principal.

4. Under Members, click Select members and select the Entra ID application you registered for Cyberhaven in procedure 1. Provide a description and click Next.

5. Additionally, you can add conditions to provide granular permissions for the selected members. Click Next.

6. Click Review + assign.

4. Configure the Azure Blob storage in your Cyberhaven tenant

Copy the storage account details and then provide all the information copied from the Azure portal to the Cyberhaven tenant.

Follow the steps below.

1. On the Azure portal home page, search for Storage accounts and click on it. The Storage accounts page lists all your accounts.

2. Click on the storage account you want to use as the content capture destination. The Overview page of the selected storage account is displayed.

NOTE

To get the best performance and cost efficiency, Cyberhaven

recommends that you choose a Storage account in the same

region as your cluster. The default is East US.

3. Copy the Storage account name and Resource group to a notepad.

4. On the left navigation bar, under Data storage, click on Containers and copy the Name of the container to a notepad.

5. Now log into your Cyberhaven tenant and navigate to Preferences > External Storage.

6. Click on New bucket and select Azure as the Bucket type.

7. Enter a title and description to identify the Azure Blob storage. 8. Paste the following values in the fields.

a. Subscription: Paste the Subscription ID copied in procedure 3.

b. Tenant id: Paste the Directory (tenant) ID copied in the last step of procedure 1.

c. Client id: Paste the Application (client) ID copied in the last step of procedure 1.

d. Client secret: Paste the Value copied in the last step of

procedure 2.

e. Resources group: Paste the Resource group copied in step 3 of this procedure.

f. Storage account name: Paste the Storage account name copied in step 3 of this procedure.

g. Container name: Paste the Name of the container copied in step 4 of this procedure.

9. Select Enabled to enable Cyberhaven to write to the bucket. 10. Select Can read to enable Cyberhaven to read from the bucket. This

option is only applicable if your custom role in Azure includes Read permissions. See procedure 3.

11. Verify the configuration using the Test Connection button.

12. Click Finish Setup.

Google Cloud Storage as a Content Capture Destination

You can configure Google Cloud Storage as the destination for Cyberhaven to upload a copy of the content captured after inspection such as event-related files and screenshots.

Cyberhaven requires the following permissions to access the cloud storage.

Write (Mandatory) - To upload the captured content to the cloud storage. Read (Optional) - To enable you to read the content report in the Risks Overview dashboard.

This feature depends on Google authenticated browser downloads. If you have enabled Google Data Access audit logs on your storage bucket, then you will not be able to use Google authenticated browser downloads to fetch the captured content. A 403: Forbidden error is displayed when you attempt to download the content. See, Google Cloud documentation.

Configure Google Cloud Storage as a Content Capture Destination

To configure Google Cloud Storage as a Content capture destination, you must grant Cyberhaven principals access to the bucket.

1. Log into the Cyberhaven UI and navigate to Preferences > External Storage.

2. Click New bucket and select GCP as the Bucket type. Cyberhaven generates a ServiceAccountName.

3. Copy the service account name only. For example, release2-external storage@internal.iam.gserviceaccount.com

4. Log into the Google Cloud Console and navigate to Cloud Storage > Buckets. The list of storage buckets is displayed in the bottom pane. 5. Click on the bucket you want to use as your storage destination. The list of objects inside the bucket is displayed.

You can also create a new bucket to be your content capture destination.

6. Click on the Permissions tab. The Grant access pop-up window is displayed.

7. Under Add principals, paste the service account name you copied from the Cyberhaven UI into the New principals field.

8. Under Assign roles, select one of the following roles.

Storage Legacy Bucket Writer - To provide Cyberhaven write access only. Or,

Storage Object User - To provide Cyberhaven read and write access to the bucket.

9. Click Save.

10. In the Cyberhaven UI, enter the following information.

Title to identify the bucket.

Description that provides details such as the purpose of setting up the storage bucket.

Bucket name from the Google Cloud Console.

11. Select Enabled to enable the connection. Only one bucket can be enabled at a time.

12. Select Can read to enable Cyberhaven to read from the bucket. This option is only applicable if assigned the Storage Object User role in your Cloud Console.

13. Verify the configuration using the Test Connection button. 14. Click Finish Setup.

Coverage for Tags Inspection, Content Inspection, and Content Capture

Cyberhaven scans the content and tags when certain user actions are performed. The raw content is also captured during these actions if you have enabled the Content Capture feature. The following user actions trigger an inspection and content capture.

User Action	Scan Content	Scan Tags
Downloading from a browser	Yes	Yes
Uploading to a browser	Yes	Yes*
Saving an email attachment**	Yes	Yes
Attaching files to an email**	Yes	Yes*
Copying or moving files from a USB	No	Yes
Copying or moving files to a USB	No	Yes
Creating a new file in any app	No	Yes
Creating a new file in Microsoft Office**	Yes	Yes
Editing a file in Microsoft Office**	Yes	Yes
Copying and pasting text snippets***	Yes	No
Exporting a file from Microsoft Office**	Yes	No

* Blocking is based on previously scanned content or tags.

** Available for Windows only.

*** Copying and pasting images including screenshots are not supported.