# KnowBe4

#### <span style="color: rgb(53, 152, 219);">**1. Overview**</span>

This document explains how to integrate **KnowBe4** with a **SIEM** solution using the KnowBe4 REST API. This allows ingestion of phishing simulation logs for monitoring, alerting, and reporting.

#### <span style="color: rgb(53, 152, 219);"> **2. Requirements**</span>

- Admin access to KnowBe4
- API access enabled on KnowBe4
- API-capable SIEM (e.g., Elastic, Splunk, QRadar, etc.)
- Internet access from the SIEM/log collector

##### <span style="color: rgb(53, 152, 219);">**3. Generate API Token in KnowBe4**</span>

- <span style="color: rgb(0, 0, 0);">Go to KnowBe4 and navigate to '**Account Settings**'.</span>

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/LI4eDNX25XOWSs6M-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/LI4eDNX25XOWSs6M-image.png)

- Under **'Account Integrations'**, select **'API'.**

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/FEyXEdFliEheqSBT-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/FEyXEdFliEheqSBT-image.png)

- Select **'Reporting API'.**

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/Y0CwQJ3sN3GQt3tk-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/Y0CwQJ3sN3GQt3tk-image.png)

- Select **'Create New API Token'.**

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/HXOEmcyAjhPfXV3c-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/HXOEmcyAjhPfXV3c-image.png)

- Enter a name for the API token, such as "ScytaleAPI." Then, select **'Create Token'.**

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/vodcZZ4jTRTUm7zo-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/vodcZZ4jTRTUm7zo-image.png)

- Copy the token for use in your integration.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/qnsKibT5lEAiyfBa-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/qnsKibT5lEAiyfBa-image.png)

#### <span style="color: rgb(53, 152, 219);">**Configure SIEM to Pull Logs**</span>

##### **Option A: SIEM with HTTP Polling Support**

1. Use built-in HTTP pull or script-based log ingestion
2. Schedule API calls to poll the KnowBe4 endpoint
3. Parse and map JSON fields

##### **Option B: Use a Log Collector (e.g., Logstash)**

1. Set up an HTTP poller input with API headers
2. Output parsed data to your SIEM (via syslog, Elastic, etc.)

##### **Field Mapping (Common Fields)**

<div class="_tableContainer_16hzy_1" id="bkmrk-field-description-us"><div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1"><table border="1" class="w-fit min-w-(--thread-content-width)" data-end="1843" data-start="1465" style="border-collapse: collapse; border-width: 2px;"><thead data-end="1519" data-start="1465"><tr data-end="1519" data-start="1465"><th data-col-size="sm" data-end="1485" data-start="1465" style="border-width: 2px;"><p class="callout info">Field</p>

</th><th data-col-size="sm" data-end="1519" data-start="1485" style="border-width: 2px;"><p class="callout info">Description</p>

</th></tr></thead><tbody data-end="1843" data-start="1574"><tr data-end="1627" data-start="1574"><td data-col-size="sm" data-end="1593" data-start="1574" style="border-width: 2px;">user\_email</td><td data-col-size="sm" data-end="1627" data-start="1593" style="border-width: 2px;">Targeted user</td></tr><tr data-end="1681" data-start="1628"><td data-col-size="sm" data-end="1647" data-start="1628" style="border-width: 2px;">clicked</td><td data-col-size="sm" data-end="1681" data-start="1647" style="border-width: 2px;">User clicked link (true/false)</td></tr><tr data-end="1735" data-start="1682"><td data-col-size="sm" data-end="1701" data-start="1682" style="border-width: 2px;">reported</td><td data-col-size="sm" data-end="1735" data-start="1701" style="border-width: 2px;">User reported the email</td></tr><tr data-end="1789" data-start="1736"><td data-col-size="sm" data-end="1755" data-start="1736" style="border-width: 2px;">test\_status</td><td data-col-size="sm" data-end="1789" data-start="1755" style="border-width: 2px;">Status of phishing test</td></tr><tr data-end="1843" data-start="1790"><td data-col-size="sm" data-end="1809" data-start="1790" style="border-width: 2px;">event\_time</td><td data-col-size="sm" data-end="1843" data-start="1809" style="border-width: 2px;">Timestamp of action</td></tr></tbody></table>

</div></div>####  

#### <span style="color: rgb(53, 152, 219);">**Validation Steps**</span>

- Run a test phishing campaign in KnowBe4
- Check SIEM logs for new entries
- Validate parsing of key fields
- Create filters/dashboards to view data

**Reference Link: [https://docs.scytale.ai/knowbe4-user-guide](https://docs.scytale.ai/knowbe4-user-guide "Knowbe4")**