Skip to main content

Configurations

Add a new Configuration

1. On the Integrations page, under Configuration, click on Add New.

2. In the Create New Configuration pop-up window, provide the following information.

a. Name: Enter a name to identify the integration profile.

b. Destination: Select a destination you previously created from the drop-down list.

c. Source: Select the source of the logs you want to send. The options are Events, Incidents, and Audit.

d.

Schedule: The schedule is set to Immediate, meaning

Cyberhaven will send the logs as soon as an event, incident, or audit log is created.

e. Enabled: Click this checkbox to start sending logs to this

destination.

3. Click Save.

Edit a Configuration or Destination

Click on a configuration or a destination to view the Edit pop-up window with the configuration or destination details.

Delete a Configuration or Destination

Click on the kebab menu ( ) for the configuration or destination, then click Delete.

Connection History

You can get a detailed history of Cyberhaven's connection to your destination URL.

To view the connection history for a configuration,

1. Click on the kebab menu ( ) and click on See connection history. 2. In the Connection History window, expand each row to view the details.

3. You can filter the data by clicking on the kebab menu for each column header.

4. Additionally, you can export the data to CSV using the Export button.

Sending Payload

The destination app will receive payloads from Cyberhaven whenever an incident, event, or audit log is generated within the Cyberhaven Console. Some events may trigger multiple incidents, which can be combined into a single payload.

Incidents Payload Example

The following JSON file is an example of incidents payload sent to the destination. It shows detailed information about a single incident.

JSON Copy

{

"type":"cyberhaven.com/model/v1/Incident",

"size":1,

"resources":\[

{

"id":"pLxdg40BEaRa1FzzT4ZK-cbec9b2a-1ed0-43ab-851e

902c29487807\_cabd81ef-fc6a-42f4-bf6c-1fd4dadb2ef6",

"user":{

"id":"00000000-0000-4000-8000-000000000003:501",

"local\_username":"K6TEST-username-3",

"local\_id":"501"

},

"event\_lineage\_id":{

"start\_event\_id":"cabd81ef-fc6a-42f4-bf6c

1fd4dadb2ef6",

"end\_event\_id":"cabd81ef-fc6a-42f4-bf6c

1fd4dadb2ef6"

},

"blocked":true,

"event\_time":"2024-05-28T13:46:36.890Z",

"trigger\_time":"2024-05-28T13:46:38.276018815Z",

"dataset":{

"id":"pLxdg40BEaRa1FzzT4ZK",

"name":"Local File",

"sensitivity":"low"

},

"user\_risk\_groups":\[

{

"id":"F1G4-ooBz5Iq1dlLfVoD",

"name":"high risk users",

"risk\_multiplier":1

},

{

"id":"FsTxSYwBk7gwG-aEa\_tL",

"name":"departing users",

"risk\_multiplier":1

}

\],

"policy":{

"id":"qLxdg40BEaRa1FzzYIbh",

"name":"Local File Copy Block",

"severity":"low"

},

"risk\_score":1,

"status":"open"

}

\]

}

Events Payload Example

The following JSON file is an example of events payload sent to the destination. It shows detailed information about a single event.

JSON Copy

{

"type": "cyberhaven.com/model/v1/Event",

"size": 1,

"resources": \[

{

"id": "4471b20a-493f-495a-9fc9-4e4d33dac095",

"timestamp": "2024-03-18T05:02:06.840248Z",

"action": {

"kind": "move",

"data\_size": "15913",

"sensor\_kind": "endpoint",

"hostname": "developer-virtual-machine",

"machine\_serial\_number": "VMware-56 4d 5f 39 37 68 09

99-4a ce d8 bf d4 27 75 54"

},

"user": {

"id": "395f4d56-6837-9909-4ace-d8bfd4277554:1000",

"local\_username": "developer",

"local\_id": "1000"

},

"source": {

"file": {

"name": "Makefile.tmpe925d",

"extension": "tmpe925d",

"size": "15913"

},

"local\_file": {

"path":

"home\\\\developer\\\\source\\\\sensor\\\\sentinel\\\\build\\\\Makefile.tmp e925d"

}

},

"destination": {

"file": {

"name": "Makefile",

"size": "15913"

},

"local\_file": {

"path":

"home\\\\developer\\\\source\\\\sensor\\\\sentinel\\\\build\\\\Makefile" }

}

}

\]

}

Audit Log Payload Example

The following JSON file is an example of an audit log payload sent to the destination. It shows detailed information about two audit log entries.

{
  "type": "cyberhaven.com/model/v1/AuditLogEntry",
  "size": 2,
  "resources": [
    {
      "id": "6133664e-bf16-41fb-8eb2-b4b3436d6ab3",
      "timestamp": "2024-09-05T15:41:36.700Z",
      "action_type": "login",
      "object_type": "auth_user",
      "object_name": "Successful login",
      "actor_type": "user",
      "actor": "qa-automation-user-1@cyberhaven-test.biz",
      "actor_id": "BOAnZ6XpOQPuEUROJcSvLH9VyvH2",
      "actor_ip": "34.171.72.205",
      "actor_user_agent": "python  requests/2.31.0,gzip(gfe),gzip(gfe)",
      "severity": "medium"
    },
    {
      "id": "4ae0b14d-d6d2-4e97-b5e2-91dcd9c88845",
      "timestamp": "2024-09-05T15:41:37.846Z",
      "action_type": "login",
      "object_type": "auth_user",
      "object_name": "Successful login",
      "actor_type": "user",
      "actor": "qa-automation-user-1@cyberhaven-test.biz",
      "actor_id": "BOAnZ6XpOQPuEUROJcSvLH9VyvH2",
      "actor_ip": "34.171.72.205",
      "actor_user_agent": "python  requests/2.31.0,gzip(gfe),gzip(gfe)",
      "severity": "medium"
    }
  ]
}

Payload Structure

The payload structure includes the following fields.

type - The type of event. It provides the API path.

size - The number of events included in the payload. Each payload usually contains a single incident unless an event has triggered multiple incidents.

resources - The resources that are part of this event. The sub-fields provide detailed information about the event.

Tags:
Last updated on