Dataflows
Cloud Access Level
The Cloud access level attribute allows you to monitor the sharing of cloud files among users with different access roles, including viewers, editors, and commenters. You can use this attribute to search for events at the destination location as well as to refine policy definitions for your cloud environment.
For example, you can use this attribute to search for all file-sharing events where the user has editor-level access.
The Cloud access level attribute supports the following operators.
- is
- is none of
Cyberhaven supports this condition for the following cloud-based applications.
- Google Workspace
- Office 365
- Box
- Slack
To utilize this condition, you must have a minimum Sensor version of 23.06.
Cloud Acting User
The Cloud acting user attribute can be used to monitor the senders and recipients of a cloud file based on their email addresses. Search for the sender or recipient using the source or destination location widgets.
The search condition allows you to specify a part of an email address, email address patterns, or a list of addresses. To learn about lists, see Searching Dataflows.
The Cloud acting user attribute supports the following operators.
- is
- starts with
- ends with
- contains
- matches regexp
- is none of
- doesn't start with
- doesn't end with
- doesn't contain
- doesn't match regexp
Currently, not all the above-mentioned operators are supported when using lists. Cyberhaven supports this condition for the following cloud-based applications.
- Google Workspace
- Office 365
- Box
- Slack
- Dropbox
- ChatGPT
- Proton Mail
- Github
- Bing
- Airtable
- Expensify
- DocuSign
- Figma
- WeTransfer
- Notion
- iCloud
- Claude
Cloud App
The Cloud app attribute allows you to monitor activities related to any cloud based service that Cyberhaven supports. Cyberhaven supports the following cloud-based applications for web-based activities and endpoint synchronization clients.
- Box
- OneDrive
- Google Drive
- Salesforce vDropbox
- SharePoint
- Slack
- Signal
- ChatGPT
- iCloud Drive
- Office 365
- Bing Chat
You can search for cloud apps in the source widget to add them to a dataset, or in the destination widget to refine your policies.
The Cloud app attribute supports the following operators.
- is
- is none of
Location Type
The Location type search condition allows you to specify the kind of location where data was observed in transit. Selecting "Location type" as your condition will present a dropdown of the location types that Cyberhaven is capturing. You can choose any types on the list to restrict your search to the selected locations.
File Name
Selecting "File Name" as a condition allows you to search for flows that have a filename matching your search criteria at any given time. This includes the filename from its origin as well as a copied or renamed version. This screenshot shows the results of a search for a file whose name contains the terms "client" or "list".
In the search results, Cyberhaven will display the matching events from the flow. In the following screenshot, the dataflow shows that the user copied a file containing client details to a personal drive, compressed the file, and renamed it. Even though the file has been copied and renamed, the events are still linked to the same flow.
File Type
The file type condition allows queries against files based on their filename extension.
Common Extensions
You can choose from several built-in extension types, grouped by category. That allows you to search for many similar extensions of a certain type. For instance, a presentation file could have a .PPT(X) extension for Microsoft PowerPoint, .KEY for Apple Keynote, or .GSLIDES for a Google Drive presentation; these and many more are already grouped under the "Presentations" category. You can choose the full category or click the dropdown menu on the desired category to select from the list.
Custom Extensions
If the file extension you want to search for is not on the list, you may simply type it into the filter field. The following screenshot shows a search for .RTF and .PPT extensions—both chosen from the list—and for the less common .ASDF, added manually into the search field.
File Path
The File path condition allows for searching events based on the file paths
observed (or not observed) in the file interactions. The following inclusive and exclusive operators are supported for this search condition.
Inclusive Operators
is starts with end with contains matches regexp
Exclusive Operators
is none of doesn't start with doesn't end with doesn't contain doesn't match regexp
The default "contains" operator will execute a wildcard search for the specified search terms, while the "doesn't contain" operator will exclude the specified terms.
Additional Search Operators
To include additional search terms for the condition, use the "OR" operator in the search field.
You can also control case sensitivity by toggling between the "a" and "A" icons.
"a" signifies case-insensitive search,
"A" indicates a case-sensitive search.
The match or ignore file path delimiter toggle options provide you more flexibility when searching for file paths across different operating systems.
Exact Match Delimiters: Select this option to ensure the file path matches
exactly as specified in the search condition, including all delimiters. For example, searching for "/etc/hosts" will only return paths that include "/etc/hosts" on a Linux or macOS environment.
Ignore Delimiters: Select this option to search for file paths without considering the delimiters, making the search more flexible. For example, searching for "\users\" will return results for both "\users\" and "/users/", regardless of the delimiter used in the file paths.
Domain
Using the Domain condition allows you to specify a search for data moving to or from particular domain names, whether via web browser activity or email. In most cases, Cyberhaven suggests using the "is (sub)domain of any of" operator in conjunction with the Domain condition. This will match for any hostname for the specified domain, such as mail.company.com or www2.company.com for the company.com domain, and avoid the need to specify several hostnames if you wish to treat all subdomains as part of the same dataset.
When typing "salesforce.com" into the domain field, it populates the form with matching domain names that Cyberhaven has already observed. Note that this field only captures a hostname; full URLs are covered in the next section.
If you wish to only include web or email traffic in your search results, add an additional filter for Location type and set it to the desired type (Website or Email).
URL
Cyberhaven captures the full URL observed from web browser activity. The URL will appear in the same format as usually presented in the location bar of the browser, including protocol and trailing URL parameters. For example, the following value is a URL string captured by Cyberhaven:
| Plaintext | Copy |
|---|---|
| https://icloud.com/iclouddrive/144084340a/singleFileUpload? c=com.apple.clouddocs&z=com.apple.CloudDocs&dataclass=com.apple.Data class.CloudKit&p=23 |
You can use any part of a string like that as your URL query. The default search operator is "contains any of," meaning you could use "icloud" or "singlefileupload" or any other part of that string to return the matching dataflow.
Website Category
Cyberhaven maintains a database of website categories that covers a wide range of domains. When the Cyberhaven Sensors communicate with domains, they will be automatically associated with one of the built-in categories. If the domain does not match any of the built-in choices, it will be categorized as "Other", one of the categories in the Website menu.
To search for flows matching one or more specific web categories, select "Website category" as your search condition and choose the desired categories from the displayed list.
Starting with version 23.12, Cyberhaven utilizes generative AI to significantly upgrade the web categories. With this enhancement, Cyberhaven introduced new web categories and redefined existing ones. Some broader categories have
been divided for more precise control. For example,
the previous "Graphics, Design and CAD" category is now split into "Graphics and Design" and "CAD and Engineering".
"Sales and CRM," which previously included customer support tools, is now divided into "CRM, Sales and Marketing Tools" and "Customer Support Tools". the "Social Media" category, which previously included LinkedIn and similar professional sites, has been separated to create a distinct "Professional Networks" category.
The upgraded web categories offer a broader coverage of websites and enhance our detection capabilities.
The following table provides a before and after comparison of the web categories.
| Old Category | New Category | Description | Domain examples |
|---|---|---|---|
| Banking | Banking and Personal Finances | Websites and online platforms provided by financial institutions and financial services that enable individuals to manage their banking and personal finance activities. | chase.com, bankofamerica.com, nerdwallet.com, acme.intuit.com |
| Cloud Storage | Cloud Storage and Documents | Enterprise apps for file storage and document management. | sharepoint.com, onedrive.live.com, box.com, drive.google.com, docs.google.com, icloud.com, mega.io, documentcustodian.com, docs.google.com |
| Consumer Instant Messaging | Consumer Messaging and Video | Text messaging and video calling apps aimed for consumers. | Whatsapp, WeChat, Telegram, Viber, KakaoTalk |
|---|---|---|---|
| Corporate Financial | Corporate Financial | Websites and platforms dedicated to providing financial information, services, and resources for corporations, including corporate banking, investment, accounting, and financial management. | certinia.com, coupa.com, coupahost.com, netsuite.com, acme.intuit.com, clearpar.com |
| Corporate Messaging and Conferencing | Corporate Messaging and Conferencing | Platforms and tools that enable internal and external communication within a corporation, such as instant messaging, video conferencing, and unified communication solutions. | zoom.us, teams.microsoft.com, ringcentral.com, meet.google.com, webex.com |
| Crypto Currencies | N/A | This category of websites is no longer supported. | N/A |
|---|---|---|---|
| File converters | Document Converters | Tools and applications that allow users to convert files from one format to another, enabling the transformation of documents, images, audio, video, and other file types into different compatible formats. | convertio.co, pdftoexcel.com, zonepdf.com, tinypng.com |
| Gambling | N/A | This category of websites is no longer supported. | N/A |
| Gaming | N/A | This category of websites is no longer supported. | N/A |
| Generative AI | AI and GenAI Tools | Tools and software leveraging artificial intelligence (AI) technologies to automate tasks, enable machine learning, natural language processing, computer vision, text and image generation, and other AI capabilities for various applications and industries. | chat.openai.com, bard.google.com, dreamstudio.ai, labs.openai.com |
|---|---|---|---|
| Graphics, Design and CAD | Graphics and Design | Software and tools for creating and editing visual content, including graphic design, illustration, image editing, and layout design applications. | figma.com, creativecloud.adobe.com, marvelapp.com, invisionapp.com, balsamiq.com, zeplin.io, sketch.com |
| HR and Payroll | HR, Payroll and Expenses | Applications and systems used for human resources management, including employee onboarding, recruitment, benefits administration, performance management, payroll and expenses processing. | workday.com, adp.com, gusto.com, hibob.com, concur.com, concursolutions.com, paychex.com, expensify.com, charthop.com, staffing.bain.com |
|---|---|---|---|
| Illegal Drugs | N/A | This category of websites is no longer supported. | N/A |
| Job Boards and Recruiting | Job Boards and Recruiting | Assistance in finding employment, tools for locating prospective employers, or employers looking for employees. | indeed.com, monster.com, flexjobs.com, wellfound.com, getwork.com, greenhouse.io, hireright.com |
| Malware and Hacking | N/A | This category of websites is no longer supported. | N/A |
| Music and Video | N/A | This category of websites is no longer supported. | N/A |
| Phishing | N/A | This category of websites is no longer supported. | N/A |
|---|---|---|---|
| Piracy | N/A | This category of websites is no longer supported. | N/A |
| Research and Development | Science and Education | Websites and platforms of academic institutions or that provide courses, educational resources, learning materials, educational tools and information from academic institutions and other sources. | stanford.edu, coursera.org, epfl.ch, arxiv.org, exxat.com, pinnacleseries.com |
| Sales and CRM | CRM, Sales and Marketing Tools | Customer relationship management (CRM) platforms, sales automation tools, and marketing software used to manage prospect interactions, track sales activities, and execute marketing campaigns. | salesforce.com, crm.dynamics.com, hubspot.com, crm.zoho.com, pipedrive.com, freshworks.com, copper.com, salesmate.io, insightly.com, clari.com, people.ai, aviso.com, xactlycorp.com, salesloft.com, dealcloud.com, force.com, movableink.com |
|---|---|---|---|
| Shopping | Shopping | E-commerce websites and platforms that enable online shopping services for consumer goods, electronics, clothing, appliances, and more. | shopify.com, ebay.com, amazon.com |
| Social Media | Social Media | Platforms and websites that enable users to connect, communicate, and share content with others, fostering online communities and facilitating social networking. This category excludes professional networking websites. | Facebook, Twitter, Instagram, Tiktok, Tumblr |
|---|---|---|---|
| Software Downloads | Software Downloads | Websites and platforms dedicated to hosting and providing software downloads, offering a wide range of applications, utilities, drivers, and other software programs for users to download and install on their devices. | download.cnet.com, filehippo.com, majorgeeks.com, ninite.com |
| Source Code Management | Source Code and Developer Tools | Tools and systems for version control, collaboration, editing, and tracking changes in source code repositories, facilitating efficient software development and code management. | github.com, gitlab.com, bitbucket.org, perforce.com, subversion.apache.org, sourceforge.net, visualstudio.com, colab.research.google.com |
|---|---|---|---|
| VPN and Proxies | VPN and Proxies | Proxy servers and other methods of gaining access to URLs in any way that bypasses URL filtering or monitoring. | mullvad.net, iVPN.net, NordVPN.com, ExpressVPN.com, SurfShark.com, privateinternetaccess.com, torproject.org |
| Web Mail | Web Mail and Calendar | Web-based email services and platforms that provide users with email functionality and integrated calendar features through a web browser. | Gmail, Outlook, AOL, Proton Mail, Zoho Mail, GMX, iCloud Mail, Yahoo Mail, Google Calendar |
| N/A | Analytics and BI | Solutions and platforms that enable data analysis, reporting, and business intelligence (BI), allowing organizations to gain insights from their data, visualize trends, and make data driven decisions. | Google Analytics, Pendo, Fullstory, Amplitude, ai.analytics.acme, drive2profit.com, grafana.com, tableau, mode.com |
|---|---|---|---|
| N/A | CAD and Engineering | Software and tools for computer-aided design (CAD) and engineering purposes, facilitating the creation, modification, and analysis of technical designs and models. | autodesk.com, solidworks.com |
| N/A | Cloud Computing and Tools | Cloud computing infrastructure, platforms and services, including cloud storage, cloud databases, virtual machines, serverless computing, and development tools for building and deploying cloud-based applications. | cloud.google.com, aws.amazon.com, portal.azure.com, snowflake.com, cloudflare.com, digitalocean.com, lambdalabs.com, oraclecloud.com |
|---|---|---|---|
| N/A | Commercial & Industrial Equipment Supplier | Websites and platforms that provide products and equipment for commercial and industrial needs, such as office essentials, specialized machinery, etc. | radwell.com, airlinehyd.com, mcmaster.com, newark.com |
| N/A | Content Delivery Networks | Networks of distributed servers that work together to deliver web content and data to users in a fast and efficient manner. | metacdn.com, cloudflare.com, s3.amazonaws.com, s3.us east-1.amazonaws.com, releases-cdn.liferay.com |
| N/A | Customer Support Tools | Software and platforms utilized by organizations to manage and streamline customer support activities, including ticketing systems, in-app live chat applications and knowledge bases. | zendesk.com, intercom.com, freshdesk.com, servicenow.com, helpscout.com, desk.zoho.com, kayako.com, five9.com, frontapp.com, giva.net |
|---|---|---|---|
| N/A | Document Signing Services | Platforms and services that facilitate the secure and legally binding signing, transfer, and storage of digital documents, eliminating the need for physical signatures. | Docusign, Pandadocs, Hellosign |
| N/A | File Transfer Services | Web-based platforms and services that enable transfer of files between individuals or organizations. | wetransfer.com, wormhole.app, ftptoday.com, sharetru.com, massive.app |
| N/A | Governance, Risk and Compliance | Solutions and frameworks that assist organizations in managing and mitigating risks, ensuring regulatory compliance, and maintaining effective governance practices, including risk assessment tools, compliance management systems, and policy frameworks. | SAI Global, MetricStream, ZenGRC, RSAArcher, Rsam, LogicGate, NAVEX Global, Compliance360, auditboardapp.com |
|---|
| N/A | Government and Military | Websites and online platforms provided by government agencies and military organizations, offering information, services, and resources related to governance, public services, national security, defense, and official government communications. | state.gov, wa.gov |
|---|---|---|---|
| N/A | Health and Medicine | Online resources, platforms, and websites that provide information, services, and resources related to health and medicine. | webmd.com, medscape.com, healthline.com, stanfordhealthcare.org, ormcodigital.com |
| N/A | Health Record and Clinical Trial Management | Systems and software used in healthcare or pharma settings to manage and store patient health records electronically, ensuring secure access, efficient data retrieval, and accurate documentation of medical information or clinical trial records. | EPIC, athenaOne, Kareo, TherapyNotes, Trimed, CentralReach, Allscripts, Cerner, CareCloud, eClinicalWorks |
|---|---|---|---|
| N/A | IT and Security Tools | Software and tools focused on managing or enhancing the security and protection of computer systems, networks, and data, including antivirus software, firewalls, intrusion detection systems (IDS), vulnerability scanners, or mobile device management systems (MDM). | Cyberhaven, Palo Alto Networks, Forcepoint, Proofpoint, MS Defender, Crowdstrike, Netskope, Zscaler, inTune, AirWatch, Jamf, skyboxsecurity, processunity.net |
| N/A | Laboratory Management and Research Tools | Domains related to supporting scientific research and streamline laboratory operations that provide tools and resources for aiding experimental design, protocol management, electronic lab notebook, sample tracking, data management, data analysis, inventory tracking, and collaboration among researchers. | benchling.com, quartzy.com |
|---|---|---|---|
| N/A | Legal and Law | Law and legal websites, law firms, discussions, analysis of legal issues, or software that manages legal cases documents. | mycase.com, legalfiles.com, gunder.com, kirkland.com |
| N/A | Logistics, Shipping and Printing | Domains related to logistics, shipping, and printing services that provide tools and resources for managing transportation, freight management, delivery, and printing needs. | acme.flexport.com |
|---|---|---|---|
| N/A | News and Media | Websites and platforms that provide news articles, multimedia content, and updates on current events from various sources. These platforms often cover a wide range of topics, including politics, world news, business, sports, entertainment, and lifestyle. | nytimes.com, news.google.com, zawya.com |
| N/A | Professional Networks | Online platforms and communities that connect professionals from various industries and facilitate networking, collaboration, and knowledge sharing among individuals and organizations in the professional context. | linkedin.com |
|---|---|---|---|
| N/A | Project Management and Collaboration | Software and platforms designed to plan, organize, track, and collaborate on projects, enabling effective project scheduling, task management, resource allocation, progress monitoring, collaboration and knowledge sharing. | JIRA, Productboard, Asana, Monday, Wrike, Basecamp, Confluence, Notion, Guru, Bloomfire, Slab, Nuclino, Tettra, shortcut.com |
| N/A | Search Engines | Web-based platforms that allow users to search for information on the internet by entering keywords or phrases. | google.com, bing.com, duckduckgo.com, baidu.com, yandex.ru |
|---|---|---|---|
| N/A | Translation and Grammar Tools | Tools and applications designed to assist with language translation, grammar checking, spelling corrections, and proofreading. | translate.google.com, deepl.com, grammarly.com |
| N/A | Travel and Entertainment | Websites and platforms dedicated to providing information, booking services, and entertainment options and recommendation s related to travel, dining, and other leisure activities. | kayak.com, expedia.com, tripadvisor.com, yelp.com, booking.com, airbnb.com, uber.com, app.navan.com |
| N/A | Vendor Management | Tools and platforms for managing relationships and interactions with vendors and suppliers, including procurement systems, contract management tools, and vendor performance tracking systems. | SAP Ariba, Vendorful, Zycus, Gatekeeper, VendorRisk, Ironclad, fieldglass.net |
|---|
Email Address
Cyberhaven records the email addresses of attachment senders and recipients tracked via the Outlook mail client or through cloud connectors to SaaS solutions, such as Office 365. Using the Email address condition provides the ability to search against email address patterns.
To search for any part of an email address, choose the Email address condition from your search. Type in any part of the email address.
Endpoint Application
Cyberhaven records which applications are interacting with data from the endpoint. When applications create, read/open, or modify files, these actions are recorded in the Cyberhaven console. This provides powerful visibility over what data users are working with inside of applications, even when the network traffic may be end-to-end encrypted.
As an example, perhaps your organization has a policy against using personal instant messaging tools. Using the Endpoint application condition, you can search for data interactions that use these unapproved applications.
Endpoint App Command Line
Cyberhaven records the command-line arguments of applications that interact with data. With the Endpoint app command line condition, you can search dataflows by terms contained in the command-line arguments. In the example below, using this condition will identify any command-line arguments containing the term "crown-jewels":
The arguments are displayed when clicking on an application name in an event that is part of a flow. This screenshot depicts a flow that matches the search above: an event in which the command-line arguments include the term "crown jewels." The user "john" was observed executing mysqldump to connect to a database host named "crown-jewels" and dump the database to a file on his endpoint.
User Name
Cyberhaven records the names of users who are logged on the endpoint for data interactions. When a user interacts with data, an event for the user will be appended to a data flow. This allows you to search for users who created, modified, or read/opened a particular piece of data.
To include a user name as part of the search criteria, add the "User name" condition to your search. In the User name condition field, you can type or copy/paste the username in question. User names observed by Cyberhaven will auto-populate matches as you type in the field.
User Group
Cyberhaven collects information on the group membership of logged-in users from endpoints running the Cyberhaven Sensor. This includes Active Directory group membership without the need to establish a direct connection with Active Directory servers.
When a user interacts with data, an event for the user and their group membership will be appended to a data flow. Clicking on a user name within an event will display the user's group membership.
To use group membership as a conditional filter, select the "User groups" condition. Enter the desired group name in the field. Group names previously observed by Cyberhaven will auto-populate matches as you type in the field.
Document Tags
Cyberhaven's content inspection engine has the ability to scan and block custom document tags inline. The document tags may be appended to various document types, such as Microsoft Office and Adobe Acrobat files. If your organization makes use of custom tags, these tags must first be defined under the Preferences > Document Tags for Cyberhaven to process