Skip to main content

Gmail Cloud Sensor

The Gmail Cloud Sensor provides visibility into Gmail activity in Google Workspace, tracking sender and recipient email addresses and attachments across your organization’s domains. Cyberhaven correlates Gmail events with browser and endpoint activity to build end‑to‑end data lineage, including when endpoint sensors are not present.

Connect Cyberhaven to Gmail

An administrator of the Google Workspace domain must grant API access via domain‑wide delegation, then connect the domain in the Cyberhaven Console.

  1. In Google Admin (https://admin.google.com), go to: Security > Access and data control > API controls > Manage domain‑wide delegation.
  2. Click Add new.
  3. Under Client ID, enter the Cyberhaven service identifier (Client ID). Contact Cyberhaven Support to obtain your unique Client ID.
  4. In OAuth scopes, add the following (comma‑separated):
    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/gmail.readonly
  5. Click Authorize.
  6. In the Cyberhaven Console, go to Preferences > Features control and enable Google GSuite support.
  7. Navigate to Cloud Sensors > Google GSuite > Add Domain.
  8. In the popup, enter the email address of an administrator account (the same account used to grant API access in prior steps). The cloud sensor will impersonate this admin to enumerate users within the domain.
  9. Click Add Domain. The connected instance appears on the right side of the page and begins monitoring eligible Gmail events.

It can take up to one hour for events to appear in the Console after connection.

Multiple domains (advanced)

The Gmail Cloud Sensor supports monitoring multiple Google Workspace domains. By default, the configuration supports a single domain; additional domains can be added via a remote configuration setting. Contact Cyberhaven Support to enable and configure additional domains.

Troubleshooting

  • Authorization issues: Verify the domain‑wide delegation entry includes the correct Client ID and both required scopes, and that the admin email in Cyberhaven matches the delegated admin.
  • No events appearing: It may take up to one hour for events to appear. Confirm the connector shows as Connected and that Gmail APIs are enabled for your org.

Disconnect

  • To disconnect the Gmail connector, click DISCONNECT in the connector details on the Cloud Sensors page. Revoke domain‑wide delegation in Google Admin if you are fully decommissioning the integration.