Skip to main content
Version: 25.09

Dataflow Components

Cyberhaven’s dataflows provide a detailed, event-by-event narrative of how data moves through your environment. Each dataflow is composed of discrete events, and every event is defined by its Source and Destination. Understanding these components is essential for interpreting dataflows and investigating incidents.

Source

The Source represents the origin of the data in a specific event within the dataflow. It answers the question: “Where did the data come from at this step?”

  • Location: The physical or logical place where the data originated (for example, a user’s workstation, a cloud storage service, an email server, or a specific application).
  • Content: The specific data object being handled (such as file name, file type, or document hash). Cyberhaven tracks the content even if it is copied, compressed, or renamed, ensuring continuity in the dataflow narrative.
  • User: The identity of the person or system that initiated the action at the source (for example, the username or account that owned or accessed the data at its origin).

Destination

The Destination is where the data is sent or handled as a result of the event. It answers, “Where did the data go next?”

  • Location: The endpoint or service receiving the data (for example, another device, a cloud application, a website, or external storage).
  • User: The identity of the person or system at the destination (for example, the user who received, opened, or further processed the data).
  • Action: The specific operation performed to move or manipulate the data (download, upload, copy, move, rename, compress, open, attach, etc.). Simplified Lineage shows only core user actions, while Legacy Lineage includes background processes.

How These Components Work Together

Each event in a dataflow is defined by a Source and a Destination, with their respective attributes. For example, when a user downloads a file from a cloud service to their laptop:

  • Source: Cloud storage (Location), file name and hash (Content), cloud account (User)
  • Destination: User’s laptop (Location), local user account (User), download (Action)

By following these components across events, Cyberhaven reconstructs the complete journey of data, even as it is manipulated, copied, or renamed.