Google Drive
The Google Drive Connector uses Google Workspace APIs to provide visibility into file activities within Google Drive. It enables Cyberhaven to capture and correlate user activity across browser and cloud surfaces, even when endpoint sensors are not present.
Requirements
The application requires the following permissions:
| Permission | Requirement |
|---|---|
https://www.googleapis.com/auth/admin.reports.audit.readonly | Access audit logs that record user file activities such as downloads, uploads, shares, and deletions for lineage and sensitive data movement detection |
https://www.googleapis.com/auth/admin.directory.domain.readonly | Retrieve domain-level metadata, including domain names and user associations, ensuring accurate policy enforcement |
Dependencies
- A Google Workspace Admin account.
- Permissions to enable Domain-wide Delegation in the Google Admin Console.
- Google Drive Cloud Sensor enabled in your Cyberhaven tenant (contact Cyberhaven Support to enable it on the backend).
Network
Security exclusions
Coverage
The Google Drive Cloud Sensor provides visibility into the following activities:
- Download, upload, share, open, create, move, rename, copy, delete
Event lineage is compatible with all browser extension versions (including 25.7.1 and newer, and earlier releases).
Metadata
The sensor collects the following metadata from Google Drive events:
- Cloud app
- File name (displayed as “Path” in the UI)
- File ID
- Domain
- Actor (the user performing the action)
- Action (the activity type, such as “rename” or “download”)
- Timestamp of the event
Cyberhaven correlates events across browser extension and cloud sensor using a combination of action, actor, file ID, and timestamp.
Limitations
- Copy actions appear as two separate events (source and new copy) and are not linked in lineage.
- Upload/download events may incorrectly show device as “Unmanaged” even if managed.
- Files accessed through Google Drive Sync client are not captured.