Skip to main content
Version: 25.10 (Latest)

Platform Structure

The Cyberhaven platform secures your data using the following sensors and connected components to collect telemetry and content to be processed by the SaaS platform.

  • Endpoint Sensors
  • Cloud Sensors
  • Browser Extensions
  • Application Plugins

Endpoint Sensors

A Cyberhaven Sensor is a lightweight application that runs on the endpoint device to track all data origins and paths from every user data action. The collected metadata is then transformed into an auditable event to provide contextual history. Cyberhaven delivers attestation of your company's data journey while minimizing endpoint impact and maximizing user productivity.

Sensors capture and analyze granular data activity from user activity to track files across all data silos and processes. The Cyberhaven cloud service analyzes and connects events in a scalable graph database, then uses data science to stitch files and events back together without tagging, modifying documents, or comparing hashes.

Events Captured

  • Uploading and downloading, opening and creating, modifying and deleting, moving and copying, and emailing of documents and files. Ingress of documents, files, and emails into the enterprise.
  • Sending emails and attachments to domains inside the enterprise and to external domains.
  • Copying/cutting/pasting of content snippets between emails, files, documents, and instant messages.
  • Export of data and reports from databases and applications.
Note

Information Stored Cyberhaven does not store files or file content, only metadata.

The following mettadata is collected as part of the events that Cyberhave collects related to data in motion and data at rest.

  • File size and hash
  • File system path and hostname
  • Application path, command line, and name
  • Browser URL and domain
  • User information (logged-in username, group membership, SID list) Software installed on the endpoint
  • Hardware connected to the endpoint
  • Users connected to the endpoint
Note

To allow for evaluation of performance and troubleshooting additional telemetry is sent to the Cyberhaven backend from the endpoint which includes the software version and performance measurements of the Sensors.

Browser Extension

Browser extensions provide insight into web-based data movements. They enhance data visibility and control within major web browsers.

Events Captured

  • Clipboard copy-paste actions (trace and block)
  • File uploads (trace and block)
  • File downloads (trace)
  • Incognito Mode Specifics: In incognito browser sessions, file uploads can be blocked, but only copy-paste actions can be traced, not blocked.

Information Stored Browser extensions collect metadata including:

  • Browser Type and Version
  • Cloud App Account and Name
  • Domain, Hostname, and URL
  • IP Address
  • User Information

Application Plugins

Application plugins are installed along with the Sensor to trace and block user actions within specific applications, such as Microsoft Office.

Classic Outlook Actions (Windows-only)

Events Captured

  • Sending emails: Tracing is supported, limited to email attachments. The sensor can also block email sending. For content inspection, email sent events are considered.
  • Forwarding emails with attachments: Tracing is supported, limited to email attachments, but blocking is not available for this action.
  • Copying and pasting to Outlook: Tracing is supported, but blocking is not available.
  • Attachment add/save: These actions are considered for content inspection.
  • Received File and Saved Email Attachment: The existing (classic) Office plugin supports tracking these events.
Note

If Microsoft Outlook is running during the initial sensor installation, email flows involving Outlook will not be tracked until Outlook is restarted. The OutlookMonitor plugin can trace Outlook email attachments even if the Cached Exchange Mode is disabled provided the backend is configured. Contact Customer Support to use this capability.

New Microsoft Outlook Actions (Windows and macOS)

  • Limited scope of coverage compared to the classic Outlook plugin.
  • It primarily focuses on "Attachment Add" and "Sent file" actions.
  • This new add-in is unable to track "Received File" and "Saved Email Attachment" events.

Word, Excel, and PowerPoint Actions

  • Saving files: Tracing and blocking are supported for files saved in Microsoft Office.
  • Saving and exporting files: User action is recorded and can be blocked, though it may not be linked to the original document.
  • Embedding Microsoft Office files: User action is recorded and can be blocked (e.g., embedding .xlsx in .pptx), though it may not be linked to the original document.
  • Creating a file: Supported for content inspection.
  • Editing a file: Supported for content inspection.
  • Save as: Supported for content inspection.

Printing Operations

  • Printing to a physical printer: Tracing and blocking are supported for Microsoft Word and Microsoft Excel

General Actions (applicable to Office apps and defined in APIv2)

  • create: Action for creation of a new object.
  • open: Object is accessed by another process.
  • save: The action of saving a new version of an existing file.
  • save_as: Save as action (renamed to Export in the UI).
  • clipboard_copy_paste: Copy and paste action.
  • send_to_printer: Action of sending content to a printer.

Information Stored

Application plugins collect metadata related to the application context and user actions, including:

  • Application name, path, and command line
  • User information (username, group membership)
  • File details (size, hash, path)
  • Event type and timestamp

Cloud Connectors

Cloud Sensors provide visibility into data movements within cloud applications and from cloud applications to unmanaged devices.

Events Captured

  • File operations (downloading, sharing, opening, uploading, moving, renaming, copying files) within supported cloud storage applications like SharePoint, Google Drive, and OneDrive.
  • Email communications (sending, receiving, and forwarding emails and attachments) within supported cloud email services like Exchange Online and Gmail.
  • User activities and access patterns within cloud applications.

Information Stored

Cloud Sensors collect metadata about user activities and cloud application context, including

  • Cloud application name and provider.
  • Cloud app account and content URI for email attachments in O365.
  • File details (size, hash, path)
  • User information (email address, group membership)
  • Domain and domain category

Content Inspection

Content Inspection is Cyberhaven's core capability to examine data's content during movement and at rest. It enhances understanding of data context and potential risks by continuously scanning content for matches against attributes selected in your datasets.

Cyberhaven inspects a wide range of file types

  • Text files: Content is directly compared against values defined in policies and rules.
  • Graphics: Optical Character Recognition (OCR) extracts and inspects text within images.
  • Document tags: Tags within files are compared against defined policies.
  • Other files (e.g., audio): Metadata is collected to provide contextual information.

UI & Services

This section describes the user interface and backend services that comprise the Cyberhaven platform, enabling administrators to configure policies, view data, and manage the system.

Cyberhaven Console (User Interface)

The Console serves as the central web-based interface for Cyberhaven administrators. It is where users interact with the platform to define data protection policies, monitor data activity, investigate incidents, and manage various aspects of their Cyberhaven deployment. The Console is organized into the following sections:

  • Dashboards: Provides high-level dashboards and analytics on data usage and risk. This includes two sets of dashboards:
    • Insights 360 Dashboards: Focus on general data usage and risk insights.
    • Security for AI Dashboards: Specialized views for GenAI usage and related risk insights.
  • Risks Overview: The central hub for viewing and investigating events, and understanding the detailed data lineage.
  • Visual Analytics: Offers advanced tools for exploring data, creating dashboards, identifying trends, and creating custom reports.
  • Insider Risk: Provides specific insights and tools for detecting and managing insider threats.
  • Incidents: Provides tools for investigating security incidents, responding to alerts, and leveraging Linea AI capabilities for enhanced analysis and context.
  • Object Management: Where administrators define and manage core security objects such as Datasets, Policies (Protection and Inspection), and Lists.
  • Endpoint Sensors: For managing sensor deployments, updates, and configurations across Windows, macOS, and Linux endpoints.
  • Cloud Sensors: For configuring and monitoring integrations with various cloud applications (e.g., Microsoft 365, Google Workspace, OneDrive).
  • Administration: Space to view audit logs and APIs. This includes:
    • Audit Logs: Provides a record of administrative and user activities within the Console.
    • API Specifications: Offers documentation and tools for interacting with Cyberhaven's APIs.
  • Preferences: Configure various system-wide settings and advanced options:
    • Users and API Keys: Manage user accounts, user authentication, and API key access.
    • Roles and Scopes: Define and assign user roles and their associated permissions and scope.
    • Directories and User Mapping: Configure integration with cloud-based user directories and map users with Cyberhaven.
    • Linea AI Configuration: Configure the sources or destinations you want to exclude from Linea AI analysis.
    • Content Matching: Define the sensitive data you want Cyberhaven to inspect. This includes:
      • Content Identifiers: Define patterns for sensitive data.
      • Exact Data Matching (EDM): For highly precise identification of specific structured data.
      • Document Tags: For classifying documents with custom labels.
    • Logo Settings: Customize the logo displayed in user-facing notification messages.
    • Authentication Providers: Set up and manage authentication methods.
    • API Token Management (Legacy): Manage API tokens for securely sending data to Cyberhaven for Exact Data Matching.
    • Automatic Logout: Configure automatic logout settings.
    • External Storage: Configure external storage destinations for content capture.
    • Integrations: Set up outbound integrations to external systems.

Backend Services

These services operate in the cloud (SaaS platform) and provide the core intelligence behind the Cyberhaven platform. They are responsible for processing collected telemetry and content received from the endpoint, performing advanced analytics, and enforcing policies.

  • Data Ingestion & Processing: Receives telemetry and content from sensors and components.
  • Data Lineage: Analyzes and connects disparate events in a scalable graph database to stitch together complete data journeys.
  • Content Inspection Engine: Processes content using Content Identifiers, EDM, and Document Tags to classify sensitive data.
  • Policy Engine: Applies defined policies (Monitor, Warn, Block) based on detected data activity and content matches.
  • Incident Management: Processes and correlates events into incidents for security teams.
  • API Services (v1.0 & v2.0): Exposes programmatic interfaces for querying data (events, incidents, audit logs) and managing platform configurations.