Skip to main content
Version: 25.09

Google Workspace (Gmail) Cloud Sensor

The Gmail Cloud Sensor provides visibility into Gmail activity in Google Workspace, tracking sender and recipient email addresses and attachments across your organization’s domains. Cyberhaven correlates Gmail events with browser and endpoint activity to build end‑to‑end data lineage, including when endpoint sensors are not present.

Before you begin, review prerequisites: Google Workspace Prerequisites

Connect Cyberhaven to Google Workspace (Gmail)

An administrator of the Google Workspace domain must grant API access via domain‑wide delegation, then connect the domain in the Cyberhaven Console.

  1. In Google Admin (https://admin.google.com), go to: Security > Access and data control > API controls > Manage domain‑wide delegation.
  2. Click Add new.
  3. Under Client ID, enter the Cyberhaven service identifier (Client ID). Contact Cyberhaven Support to obtain your unique Client ID.
  4. In OAuth scopes, add the following (comma‑separated):
    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/gmail.readonly
  5. Click Authorize.
  6. In the Cyberhaven Console, go to Preferences > Features control and enable Google GSuite support.
  7. Navigate to Cloud Sensors > Google GSuite > Add Domain.
  8. In the popup, enter the email address of an administrator account (the same account used to grant API access in prior steps). The cloud sensor will impersonate this admin to enumerate users within the domain.
  9. Click Add Domain. The connected instance appears on the right side of the page and begins monitoring eligible Gmail events.

It can take up to one hour for events to appear in the Console after connection.

Multiple domains (advanced)

The Gmail Cloud Sensor supports monitoring multiple Google Workspace domains. By default, the configuration supports a single domain; additional domains can be added via a remote configuration setting. Contact Cyberhaven Support to enable and configure additional domains.

Coverage

The Gmail Cloud Sensor provides visibility into:

  • Attachments when sending, receiving, and forwarding emails
  • Attachments in any mailbox folder except Drafts
  • Email operations from browsers and Outlook on Windows

Note: DLP scanning of attachments during web upload/download is performed by the Endpoint Sensor. The cloud sensor tracks sender/recipients and attachment metadata, but does not read email body content.

Troubleshooting

  • Authorization issues: Verify the domain‑wide delegation entry includes the correct Client ID and both required scopes, and that the admin email in Cyberhaven matches the delegated admin.
  • No events appearing: It may take up to one hour for events to appear. Confirm the connector shows as Connected and that Gmail APIs are enabled for your org.

Disconnect

  • To disconnect the Gmail connector, click DISCONNECT in the connector details on the Cloud Sensors page. Revoke domain‑wide delegation in Google Admin if you are fully decommissioning the integration.