Skip to main content

Gmail

Cyberhaven integrates with Google Workspace (formerly GSuite) to provide visibility into Gmail activity, including sender and recipient email addresses and attachments across your organization's domains. The Gmail Cloud Sensor uses Google APIs to retrieve events and user information from your Google Workspace environment.

Like other cloud sensors, the Gmail Cloud Sensor requires elevated privileges in your Google Workspace tenant. No service accounts are required beyond the Cyberhaven service account that is authorized through domain-wide delegation by a Google Workspace administrator.

Requirements

The application requires the following permissions to function:

ScopePurpose
https://www.googleapis.com/auth/admin.directory.user.readonlyRetrieves domain user metadata for accurate policy enforcement.
https://www.googleapis.com/auth/gmail.readonlyAllows the sensor to monitor email metadata (sender, recipient, and attachments) for data movement detection.

Dependencies

  • Admin account with rights to manage domain-wide delegation in Google Workspace.
  • Ability to enable Google GSuite support from the Cyberhaven Console under Preferences > Features control.
  • A valid domain to be added under Cloud Sensors > Google GSuite in the Cyberhaven Console.
  • Cyberhaven service identifier (Client ID) from Cyberhaven Support, required to authorize API access.

Network

Security exclusions

Coverage

The Gmail Cloud Sensor provides visibility into:

  • Attachments when sending, receiving, and forwarding emails
  • Attachments in any mailbox folder except Drafts
  • Email operations from browsers and Outlook on Windows

Event lineage is compatible with all Cyberhaven browser extension versions; upgrading to the latest extension is recommended.

DLP scanning of attachments during web upload/download is performed by the Endpoint Sensor. The cloud sensor tracks sender/recipients and attachment metadata, but does not read email body content.

Metadata

The cloud sensor records sender and recipient addresses and attachment metadata to build lineage. The sensor does not read or store email body content.

Limitations

  • The Cloud Sensor tracks sender and recipient metadata and attachment details but does not read the actual email body content.
  • No support for user groups or email aliases. Events may appear disconnected if sent to an alias or distribution list.
  • Collaboration with Endpoint Sensors is required for DLP scanning of attachments uploaded or downloaded in the browser.