Cyberhaven Data Protection Logs
Cyberhaven logs provide comprehensive data protection and insider threat detection insights. These logs capture information about data access patterns, file movements, user behavior analytics, and security events that help organizations protect sensitive information and detect potential data exfiltration or insider threats.
Ingest Methods
Setup the ingestion of this source using the following method:
Webhook Setup
Cyberhaven integration uses webhook-based real-time incident alerts and events. This method provides immediate notification of security events without polling delays.
Required Credentials
To connect your Cyberhaven account, you’ll need to provide:
- Webhook URL - The RunReveal webhook endpoint URL generated by the RunReveal Cyberhaven source tile.
Webhook Configuration
Cyberhaven does not provide public documentation so the actual setup instructions may differ from the steps below.
In Cyberhaven Dashboard:
- Go to Integrations/Webhooks section
- Add a new webhook endpoint
- Paste the RunReveal webhook URL generated from the RunReveal source tile
- Configure any webhook settings:
- Method: POST
- Content-Type: application/json
Source Configuration
When setting up your Cyberhaven source, provide:
- Source Name: A descriptive name for your Cyberhaven source (defaults to “cyberhaven”)
- Health Check Duration: Configure how often to check source health (default: 1 day)
- Notification Channels: Set up alerts for when the source stops receiving events
Verification
After entering your webhook URL, use the “Verify Settings” button to test the connection and ensure your webhook is properly configured to receive Cyberhaven incident data.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: cyberhaven_logs (48 columns)
cyberhaven_logs (48 columns)| Column | Type |
|---|---|
id | String |
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime64(3) |
eventTime | DateTime64(3) |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
| Column | Type |
|---|---|
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
rawLog | String |
user_id | String |
user_local_username | String |
user_local_id | String |
event_lineage_start_id | String |
event_lineage_end_id | String |
blocked | UInt8 |
trigger_time | DateTime64(3) |
dataset_id | String |
dataset_name | String |
dataset_sensitivity | String |
user_risk_groups | String |
policy_id | String |
policy_name | String |
policy_severity | String |
risk_score | UInt32 |
warning_status | String |
status | String |
created_by | String |