Skip to main content
Version: 25.06

Visual Analytics

Visual Analytics is an advanced business intelligence platform that enables our customers to easily visualize the unique data collected by Cyberhaven sensors and integrations. Cyberhaven users can interface with Visual Analytics primarily

via Dashboards, which are collections of Charts. Charts are individual visualizations. Visual Analytics includes a library of Charts and Dashboards, which will expand over time.

Benefits

The analytics dashboard enables you to easily understand your dataflows. You can,

Visually explore Cyberhaven data, leveraging our proprietary data tracing.

Easily produce Dashboards & Reports that address key use cases. Automate distribution of Dashboards & Reports (coming soon).

Features

The analytics dashboard provides the following features.

Create your own dashboard using predefined charts.

Add dashboards to favorites.

Filter dashboards by the owner, creator, status, and favorites. Download a Dashboard as an image.

Download a Chart as an image.

Export a widget as a CSV file.

Schedule reports to periodically receive snapshots of the dashboard. Create custom Charts (coming soon, requires appropriate licensing). 90 days of data are available, with the option to obtain a license for an extended data access window.

Data is refreshed on-demand, limited to one refresh per day per dashboard.

Available Data

Visual Analytics includes the following data models.

Event data including Policies

Incidents (coming soon)

Visual Analytics Dashboards are refreshed once per day. If Datasets or Policies are changed, it can take a couple of hours for this data to process and it will be reflected in the next daily refresh.

Dashboards and Charts

The Visual Analytics feature comes with predefined dashboards and charts.

Predefined Dashboards

The following dashboards are available by default.

Executive Risk Summary- View the summary of your organization's insider risk and data exposure. This dashboard gives you a breakdown of the policy violations based on users and timelines, sensitive data at risk, and the sources and destinations of the sensitive data flow. You can filter the dashboard on the following parameters.

Time range

User search

Dataset filter

Policy filter

Source location type

Action was blocked?

Event type

Dataset sensitivity

Policy severity

Generative AI Summary- View the daily risk score associated with your sensitive data flowing into AI tools. This dashboard gives you a

breakdown of the generative AI tools being used, the data flowing through these tools, and the corresponding users responsible for the data transfer. You can filter the dashboard on the following parameters. Time range

User search

Dataset filter

Policy filter

Source location type

Action was blocked?

Event type

Policy severity

Dataset sensitivity

Printer Exfiltration Summary- View the summary of policy violations using printers. This dashboard gives you a breakdown of the policy violations based on timelines, datasets, users, and printers. At the bottom of the dashboard, the table provides all the events related to the print jobs sent to printers during the selected time range. You can filter the data based on the following parameters.

Time range

User search

Dataset filter

Policy filter

Source location type

Action was blocked?

Event type

Policy severity

Dataset sensitivity

Destination location type

Removable Media Exfiltration Summary- View the summary of policy violations using removable media. This dashboard gives you a

breakdown of the policy violations based on risk scores, timelines, datasets, users, and removable media devices. At the bottom of the dashboard, the table provides all the events related to the removable media devices during the selected time range. You can filter the data based on the following parameters.

Time range

User search

Dataset filter

Policy filter

Source location type

Action was blocked?

Event type

Policy severity

Dataset sensitivity

Destination location type

Cloud App Exfiltration Summary- View the summary of policy violations using cloud apps. This dashboard gives you a breakdown of the policy violations based on risk scores, timelines, datasets, users, and cloud apps. At the bottom of the dashboard, the table provides all the events generated by user activities on cloud apps during the selected time range. You can filter the data based on the following parameters. Time range

User search

Dataset filter

Policy filter

Source location type

Action was blocked?

Event type

Policy severity

Dataset sensitivity

Destination location type

Website Exfiltration Summary- View the summary of policy violations using websites. This dashboard gives you a breakdown of the policy violations based on risk scores, timelines, datasets, users, and websites. At the bottom of the dashboard, the table provides all the events generated by user activities on websites during the selected time range. You can filter the data based on the following parameters.

Time range

User search

Dataset filter

Policy filter

Destination domain

Source location type

Event type

Action was blocked?

Policy severity

Dataset sensitivity

Destination location type

Email Exfiltration Summary- View the summary of policy violations using email. This dashboard gives you a breakdown of the policy violations based on timelines, datasets, users, and destination email domains. At the bottom of the dashboard, the table provides all the events related to emails with attachments during the selected time range. You can filter the data based on the following parameters.

Time range

User search

Dataset filter

Policy filter

Destination domain

Source location type

Action was blocked?

User Summary- View the summary of policy violations by a specific user. Using this dashboard, you can review user activities and identify user patterns and behavior. This dashboard gives you a breakdown of the policy violations based on timelines, datasets, and user activities such as uploads and copy/paste on various egress channels like web, email, removable media, etc. Each source location type includes a table with a list of all the events generated by the user for the selected time range. You can filter the data based on the following parameters. User search

Time range

Policy severity

Dataset sensitivity

Policy filter

Dataset filter

Destination type

Source location type

Action was blocked?

Event type

Policy Summary- View the policy violations summary. You can review violations to gather insights into exfiltration and identify threats. This dashboard gives you a breakdown of the policy violations based on risk scores, timelines, users, and datasets. You can filter the data based on the following parameters.

Time range

User search

Policy filter

Dataset filter

Source location type

Destination location type

Was the event blocked?

Event type

Policy severity

Dataset sensitivity

Endpoint Sensor Resource Usage- View the Sensor resource usage on your endpoint devices to evaluate their performance. This dashboard presents insights from the platform's comprehensive analysis of the Sensor's impact on endpoint devices. The performance of Sensors is classified into three categories based on CPU and memory usage thresholds:

Green: Asensor is classified as green if its CPU usage stays

below 20% and its memory usage remains under 2 GB throughout a 10-minute period.

Yellow: Asensor is classified as yellow if it exceeds the CPU

usage threshold of 20% or the memory usage threshold of 2 GB once or twice within the same 10-minute period.

Red: Asensor is marked as red if it exceeds the CPU or memory usage thresholds more than twice during the 10-minute period.

You can filter the data based on the following parameters.

Hostname

Version

OS

Trends time range

Trends group by

Detailed time range

Endpoint Sensor Resource Usage Stats- View the detailed stats of Sensor resource usage with this dashboard. It provides insights into CPU and memory usage trends, segmented by operating system type and tracked over time. The platform collects P99 telemetry to monitor Sensor performance under peak conditions. This dashboard includes a table highlighting key performance metrics from the P99 telemetry.

P50 (50th percentile): Shows the resource usage when the

sensor is functioning under normal conditions. For example, if the CPU % P50 for an endpoint is 5%, it indicates that the CPU

usage was 5% or less for half of the observed time.

P90 (90th percentile): Shows resource usage during higher

than-average conditions. For example, if the CPU % P90 is 5%, it indicates that the CPU usage stayed at or below 5% for 90% of the time, with only 10% of the time experiencing higher usage.

P99 (99th percentile): Shows resource usage during peak or near-maximum load conditions. For example, if the CPU % P99 is 5%, it indicates that the CPU usage stayed at or below 5% for

99% of the time, with only 1% of the time exceeding this level.

Cloning a predefined dashboard

You can clone a predefined dashboard using Save As.

To clone a predefined dashboard,

1. Log into the Cyberhaven tenant.

2. On the Dashboards page, click on a predefined dashboard to open it. 3. On the top right corner of the page, click on the More icon (...) and select Save As .

4. Enter a name for the dashboard and click Save.

5. Click on Dashboards at the top of the page to view the newly created dashboard.

The new dashboard will include all the predefined filters from the predefined dashboard.

Creating a new dashboard

To create a new dashboard,

1. On the Dashboards page, click the

3. Select a chart from the panel on the right side of the page. Then drag and drop the chart on the page.

4. When finished, click Save to save the charts to the dashboard. The new dashboard is displayed on the Dashboards page.

Dashboard Filters

You can apply predefined filters to dashboards and view granular data. For example, in the Executive Risk Summary dashboard, the predefined time range filter shows you the top users and their policy violations trend over the last month. You can view the trend over the last quarter or year by changing the time range filter.

The following predefined filters are available.

Time range

User search

Dataset filter

Policy filter

Destination domain

Source location type

Event type

Action was blocked?

Was the event blocked?

Policy severity

Dataset sensitivity

Destination location type

Filtering a dashboard

All the predefined dashboards include a set of predefined filters. You cannot add filters or edit the predefined filters in a predefined dashboard. However, you can create a custom dashboard and add predefined filters or edit filters.

To apply a predefined filter to a dashboard,

1. Open the dashboard and click the right-arrow icon on the far-left side of the page to expand the Filters sidebar.

2. Select from the available options for each filter. If you are selecting the time range filter, click Apply.

3. Click Apply Filters. The charts in the dashboard are refreshed to show the data based on the applied filters.

Adding filters to a dashboard

If you have created your own dashboard, you can add filters to the dashboard using the Filters panel.

To add a filter to a custom dashboard,

1. Open a dashboard and click + Add/Edit Filters in the left pane. The Add and edit filters configuration pop-up window is displayed.

2. In the pop-up window, you can edit the existing User search and Time range filters or click +Add filters and dividers > Filter to create a new filter.

Use dividers to group similar filters under a category heading.

3. In the Settings tab, select a Filter Type. The Settings options vary depending on the type of filter you select. Filter configurations are available for all filter types, except the Time Range.

Selecting a Filter Type

You can choose one of the following filter types.

Value: The Value filter type creates a drop-down menu on the

dashboard. When you select this filter type, you can choose

the associated value in the Column field. For example, the

User search filter has a column value

source.local_user_name that populates the list of local

usernames in the filter's drop-down menu.

Numerical range: The Numerical range filter type creates a

slider on the dashboard. You can choose from a range of

numeric values. For example, when you select the Column

value as source.data_size , you can apply the filter based on

the range of data in bytes.

Time range: The Time range filter type creates a button on the

dashboard. You can set a default time range for the filter such

as Last month. When you click on the button, the Edit time

range pop-up window is displayed.

Time column: The Time column filter type creates a drop-down

menu on the dashboard. This filter type can be used to define

a universal time attribute for all the charts in the dashboard.

This filter type is useful if you have individual time attributes

defined at the chart level and you want to filter based on a

single time attribute. You can select different time attributes

from the drop-down menu such as, local_time ,

source.local_time , destination.local_time .

Time grain: The Time grain filter type creates a drop-down

menu on the dashboard. You can use this filter to view granular data in the charts for the selected time range. For example, if the time range is set to Last month, then the data in the charts are displayed for each day of the last month. By default, the time grain in the charts is set to Day. You can select a different time grain to view the same data by the second, minute, hour, week, month, quarter, year, etc., depending on the selected time range.

4. Next, enter a filter name.

5. If applicable, select from the available filter configuration options.

Selecting Filter Configurations

The following configuration options are available.

Values are dependent on other filters: This option is available

when you select the Value filter type. You can enable this

setting to create a relationship between Value type filters. In

the example screenshot, we've created a "User search" filter

that depends on the "User group" filter. The user search

options are limited based on the user group you select.

Pre-filter available values: This option is available when you

select the Value or Numerical range filter types. The pre-filter

can be used to populate a refined list of values in the filter's

drop-down menu. For example, the Column value

source.local_user_name populates a list of all the local

usernames. You can apply a simple pre-filter such as

source.local_groups.name = `Domain Admins` creating a

pre-filtered list of local usernames that are part of the "Domain

Admins" user group. You can also click on the Custom SQL tab

and define a pre-filter using a custom SQL query.

Sort filter values: This option is available for all filter types, except

the Time range. You can sort the outcome of the filter in ascending or descending order. If you are using the Value filter type, you can

additionally select a metric to sort the dataset.

Single value: This option is available when you select the

Numerical range filter type. You can set a limit on the numerical

value or range when selecting the numerical range filter.

The following options are available.

Minimum: Select this option to set the starting number

for the range. The numerical range filter will have a

single anchor point on the slider where you can set the

minimum number as shown in the screenshot. The filter

is applied to all charts where the data sizes are greater

than or equal to 5.15B.

Exact: Select this option to set an exact number. The

numerical range filter will have a single anchor point on

the slider where you can set the exact number as

shown in the screenshot. The filter is applied to all

charts that match the data sizes equal to 5.15B.

Maximum: Select this option to set the ending number

for the range. The numerical range filter will have a

single anchor point on the slider where you can set the

maximum number as shown in the screenshot. The

filter is applied to all charts where the data sizes are

less than or equal to 5.15B.

6. Include a description of the filter that explains its purpose. When you add a filter description, a tooltip is included beside the filter.

7. Apply filter settings to manage the filter values.

Managing Filter Values

The following filter settings are available.

Filter has default value: Select this option to set default values

for the filter based on the values available from the selected

Column.

Filter value is required: Select this option to enforce the use of

a default filter value. The user must provide a default value

before applying the filter.

Select first filter value by default: This option is only available

for the Value filter type. When this option is selected, the filter

will automatically set the first value in a column's data as the

default filter value. You cannot manually set a value under

"Filter has default value".

Can select multiple values: This option is only available for the

Value filter type. Select this option to enable multiple value

selections in "Filter has default value".

Dynamically search all filter values: This option is only

available for the Value filter type. Select this option to enable

dynamic searching of filter values. If you have large data sets,

then this option will match the text as you type in the filter text

box and improve the process of selecting values.

Inverse selection: This option is only available for the Value

filter type. Select this option to exclude the value you specify in

your filter. For example, the screenshot below shows the

destination app filter where Dropbox is the selected value.

When this filter is applied, then all values except Dropbox will

be displayed on the dashboard.

8. Select the Scoping tab to control the charts to which you want to apply the filter. By default, the filter is applied to all charts. If you want to apply

the filter to specific charts, select Apply to specific panels and then deselect the charts you want to exclude from the filter.

9. When finished, click Save.

Dashboard Reports

Reports provide a snapshot of the entire dashboard as an image and a PDF attachment. You can schedule reports to receive periodic updates about the data in your dashboards. The reports are sent to you as an email notification at the scheduled frequency.

You can schedule reports using one of the following two methods. Option 1: Setup from the dashboard

This option provides a quick and straightforward way to schedule reports to be sent to the owner of the dashboard.

1. Open the dashboard for which you want to schedule reports and click on the three dots (...). Click Set up an email report.

2. In the Schedule a new email report dialog box, enter a report name and description. Then select the schedule and timezone.

Example

In the example screenshot above, the report is scheduled to be sent every week on Monday at noon, Pacific Standard Time. If you don't select the day of the week, then the report is sent every day of the week.

3. Click Add.

Option 2: Add Report

The Reports tab on the Visual Analytics page provides you with advanced options to configure reports. This page displays the list of scheduled reports, the schedule, creator, owners, and active status of each report. On the top of the page, you can see when this page was last updated.

1. Click the button.

2. In the +Add Report dialog box,

Enter a name for the new report.

Select the owners from the drop-down list. Only the owners of the report can edit the report.

Enter a description to explain the purpose of the report.

The Active toggle switch is automatically enabled which means you will start receiving reports for the dashboard as per the

schedule.

Under Report schedule, select the frequency at which you want to receive reports. You can select the day, week, month, year, and time(s) of the day when you want the report sent.

Select the timezone from the drop-down list.

Example
In the example screenshot above, the report is scheduled to

be sent every year from February to April, and August to

October on the 28th day of each month at 6 am and 6 pm,

Pacific Standard Time. If the date selected does not exist for

a month, then no report for that month. For example, if you

select the 30th day, then you will not receive a report in the

month of February.

3. Select the dashboard for which you want to receive reports and add the email address of the recipients.

4. Click Add.