Skip to main content

User Mapping

user mapping is the process of correlating several accounts together to recognise them as a single entity in the Cyberhaven platform. Cyberhaven automatically synchronizes local user groups from on-premises Active Directory and Apple Open Directory whereas for local user collection, to syncroise from cloud locations Cyberhaven leverages WorkOS to gather user information used map them for use in the platform.

Local User Mapping

On both Windows and macOS, the Endpoint Sensors are able to automatically synchronize the local user groups. This happens out of the box and does not require any directory integration to be set up. For instance, on Windows, the group information from domain joined devices connected Active Directory or Microsoft Entra ID is synchronized by the operating system. This group information is automatically synchronized by Windows when the user logs in. The Cyberhaven Windows Endpoint Sensor is able to interrogate the device and extract the group information automatically.

Similarly, on macOS, the Sensor will automatically map the endpoint users to their email address setup within Apple Open Directory. However, if you use Jamf or Kandji in your environment, then we also provide a new MDM profile to set up email based user mapping.

Read more: User Mapping on macOS with Kandji

Read more: User Mapping on macOS with Jamf

Cloud User Syncronisation & Mapping

The Cyberhaven SaaS service integrates with Cloud Directory providers such as Microsoft Entra ID, Okta, Google, JumpCloud, SCIM, etc. using WorkOS. The integration enables Cyberhaven to map users to user accounts in your directory service to correlate local user activities. Cyberhaven uses the email address in the directory service to map each user since email addresses serve as unique identifiers. By using email-based mapping, Cyberhaven ensures accurate and reliable associations between endpoint users and the user directory.

This mapping is done in the Cyberhaven SaaS service, not by Cyberhaven Endpoint Sensors. When the mapping is complete, sensor-generated events on the Risks Overview page will contain the username as defined in your directory service. You can click on the username to view details such as the user groups related to this user in your directory.

NOTE

This feature only works with directory services that have configured email addresses.

Integrate multiple directories

Cyberhaven can integrate with multiple user directories and correlate information about a user from the different directories. This information is presented in the context of events generated by the user's activities to provide you with a comprehensive understanding of the user's actions. To identify a user across multiple directories, Cyberhaven requires a consistent email address associated with the user in all the directories. Follow the instructions in Integrating Cyberhaven with Cloud-based User Directories to add multiple directories in your Cyberhaven Console.

Integrating Cyberhaven with Cloud-based User Directories

Users are automatically mapped to the email address configured in the user directory. You must integrate Cyberhaven with your cloud directory services to enable email-based user mapping.