KnowBe4

1. Overview

This document explains how to integrate KnowBe4 with a SIEM solution using the KnowBe4 REST API. This allows ingestion of phishing simulation logs for monitoring, alerting, and reporting.

 2. Requirements

3. Generate API Token in KnowBe4

image.png

image.png

image.png

image.png

image.png

image.png

Configure SIEM to Pull Logs

Option A: SIEM with HTTP Polling Support
  1. Use built-in HTTP pull or script-based log ingestion

  2. Schedule API calls to poll the KnowBe4 endpoint

  3. Parse and map JSON fields

Option B: Use a Log Collector (e.g., Logstash)
  1. Set up an HTTP poller input with API headers

  2. Output parsed data to your SIEM (via syslog, Elastic, etc.)

Field Mapping (Common Fields)

Field

Description

user_email Targeted user
clicked User clicked link (true/false)
reported User reported the email
test_status Status of phishing test
event_time Timestamp of action

 

Validation Steps

Reference Link: https://docs.scytale.ai/knowbe4-user-guide

 

 


Revision #1
Created 20 June 2025 01:28:43 by Albert Alombro
Updated 20 June 2025 01:51:32 by Albert Alombro