KnowBe4

About this document

This document provides a step-by-step procedure to configure the KnowBe4 in SAFE. 

Introduction

SAFE seamlessly integrates with KnowBe4 KMSAT, and this integration allows SAFE to pull the Phishing results from KnowBe4 at pre-defined intervals, eliminating the need for manual data uploading. These phishing results act as signals for users that help get information about MITRE ATT&CK techniques which might be possible in relation to these users. You can configure KnowBe4 in SAFE via APIs from SAFE Hooks.

Prerequisites

To configure KnowBe4 in SAFE, you need the following details: 

1. Base URL (Refer to KnowBe4 documentation to get the Base URL)
2. API Key

Generate API Key

Follow the below step-by-step procedure to generate the KnowBe4 API Key:

1. Login to KnowBe4account as admin.
2. Go to the Account Settings.
3. Click the Account Integrations from the left menu.
4. Click the API option.
   
5. Mark the "Enable Reporting API Access" checkbox. 
6. The system generates an API Key. Save this API Key. You need to use this API Key while configuring the KnowBe4 in SAFE.
   

Configure KnowBe4

To configure the KnowBe4 in SAFE:

1. Navigate to SAFE Hooks.
2. Click the KnowBe4 card. The system opens theKnowBe4 configuration page.
3. Enter the Base URL and API Key.
4. Select a date in the "Ignore Campaign that completed before" field. Any Phishing Security Tests (PSTs) that have finished before this date will not be considered in the assessment process. Only the most recent phishing campaign results for a user are taken into account by SAFE. Therefore, there is no need to retrieve data from older campaigns.
5. Enter the Auto Sync Frequency in the number of days.
6. Enter the "Control Expiry Duration" in the number of days. This decides how long an assessment from Knowbe4 will stay valid for a user without any updates.
   For example, if it's set to 15 days, an assessment without updates for 15 days will be removed. The setting should match how often the organization runs phishing campaigns so that old results are not removed before new ones are available.
7. Click the Test Connection button to validate the connection details.
8. Once the connection is validated, click the Save button.
9. Once the configuration is saved, click on the SyncNow button to trigger the on-demand sync outside of the scheduled auto sync.

View Result

The following actions of a user in a phishing campaign run in KnowBe4 are mapped to a corresponding control in SAFE: 

• Clicked, QR Code Scanned - The user should not click the link sent in the phishing email during the phishing simulation campaign
• Data Entered - The user should not submit data using the link sent in the phishing email during the phishing simulation campaign.
• AttachmentOpened - The user should not download the attachment sent in the phishing email during the phishing simulation campaign.
• Replied - The user should not reply to the phishing email during the phishing simulation campaign.

To view the updated users and result:

1. Click the "See Updated Users" button available at the top-right of the History table.
   
2. You will be redirected to the filtered user list page that displays all the users updated by the particular integration in SAFE.
   Alternatively, you can navigate to People and filter the users list for signal source equals security.safe.knowbe4.
   
3. Click on any user from the list to view the control list.
4. Clicking a control, you will be redirected to the control details page.
5. Here you can see the MITRE ATT&CK mapping. 
6. The Observation tab displays the PST(Phishing Security Test) details.
   

History

Learn More about Integration History here.