KnowBe4
1. Overview
This document explains how to integrate KnowBe4 with a SIEM solution using the KnowBe4 REST API. This allows ingestion of phishing simulation logs for monitoring, alerting, and reporting.
2. Requirements
-
Admin access to KnowBe4
-
API access enabled on KnowBe4
-
API-capable SIEM (e.g., Elastic, Splunk, QRadar, etc.)
-
Internet access from the SIEM/log collector
3. Generate API Token in KnowBe4
- Go to KnowBe4 and navigate to 'Account Settings'.
- Under 'Account Integrations', select 'API'.
- Select 'Reporting API'.
- Select 'Create New API Token'.
- Enter a name for the API token, such as "ScytaleAPI." Then, select 'Create Token'.
- Copy the token for use in your integration.
Configure SIEM to Pull Logs
Option A: SIEM with HTTP Polling Support
-
Use built-in HTTP pull or script-based log ingestion
-
Schedule API calls to poll the KnowBe4 endpoint
-
Parse and map JSON fields
Option B: Use a Log Collector (e.g., Logstash)
-
Set up an HTTP poller input with API headers
-
Output parsed data to your SIEM (via syslog, Elastic, etc.)
Field Mapping (Common Fields)
|
Field |
Description |
|---|---|
| user_email | Targeted user |
| clicked | User clicked link (true/false) |
| reported | User reported the email |
| test_status | Status of phishing test |
| event_time | Timestamp of action |
Validation Steps
-
Run a test phishing campaign in KnowBe4
-
Check SIEM logs for new entries
-
Validate parsing of key fields
-
Create filters/dashboards to view data
Reference Link: https://docs.scytale.ai/knowbe4-user-guide