KnowBe4 v1.0.0 Plugin for Risk Exchange
KnowBe4 v1.0.0 Plugin for Risk Exchange
This document explains how to configure the KnowBe4 v1.0.0 plugin for the Risk Exchange module of the Netskope Cloud Exchange platform. This plugin is used to fetch users from the PAB User Activity page of the KnowBe4 platform. The PAB User Activity page can be found at KnowBe4 platform > Account Settings > Account Integrations > Phish Alert > See PAB User Activity. The plugin does not support performing any actions on users in KnowBe4.
Netskope normalization score calculation for users > (1000 – (KnowBe4’s Current Risk Score) x 10).
Prerequisites
To complete this integration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
- A BASE URL and API Token for KnowBe4.
- Connectivity to the following host: https://*.api.knowbe4.com.
CE Version Compatibility
Netskope CE v5.1.0
KnowBe4 Plugin Support
KnowBe4 supports fetching users from the PAB User Activity page of the KnowBe4 platform. The PAB User Activity page can be found at KnowBe4 platform > Account Settings > Account Integrations > Phish Alert > See PAB User Activity. The plugin does not support performing any actions on users in KnowBe4.
Type of data pulled |
Users |
Actions |
No actions |
Mappings
Mappings are used to view the pulled users and their respective details. Mapped fields during plugin configuration will be visible on the Records page once the data is pulled. Below is the suggested mapping that should be used while configuring the plugin.
Pull Mapping for Users
Plugin Field | Expected Datatype | Suggested Field Name | Suggested Field Action |
---|---|---|---|
User ID | Number | User ID | Unique |
First Name | String | First Name | Overwrite |
Last Name | String | Last Name | Overwrite |
User Email | String | User Email | Overwrite |
User status | String | User status | Overwrite |
User Current Risk Score | Number | User Current Risk Score | Overwrite |
Netskope Normalized Risk Score | Number | Netskope Normalized Risk Score | Overwrite |
Normalized Score Calculation
The expected score type on KnowBe4 is in the range 0 to 1000. Netskope normalization score calculation for users > (1000 – (KnowBe4’s Current Risk Score) x 10).
Note that for Risk Score values 0, 100, and string, it will skip the calculation of Netskope normalization score.
Permissions
Ensure the user through which token will be created, has the necessary permissions to create an API token.
API Details
List of APIs Used
API Endpoint | Method | Use Case |
---|---|---|
v1/users | GET | Fetch Users |
Fetch Users
API Endpoint: <Base URL>/v1/users
Method: GET
Headers
Key | Value |
---|---|
Authorization | Bearer <API Token> |
Params
Key | Value |
---|---|
page | 1 |
per_page | 500 |
Sample API Response
[ { "id": 3460988, "employee_number": null, "first_name": "user", "last_name": "name", "job_title": null, "email": "user.name@test.com", "phish_prone_percentage": 50.0, "phone_number": "", "extension": "", "mobile_phone_number": "", "location": null, "division": null, "manager_name": null, "manager_email": null, "provisioning_managed": true, "provisioning_guid": null, "groups": [], "current_risk_score": 32.8, "aliases": [ "user.name@test.com" ], "joined_on": "2024-06-19T18:15:58.000Z", "last_sign_in": "2024-10-22T12:03:55.000Z", "status": "active", "organization": null, "department": null, "language": null, "comment": null, "employee_start_date": null, "archived_at": null, "custom_field_1": null, "custom_field_2": null, "custom_field_3": null, "custom_field_4": null, "custom_date_1": null, "custom_date_2": null } ]
Performance Matrix
Here are the performance readings conducted on a Large CE Stack with these VM specifications by pulling 500K User records from KnowBe4 plugin.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Time take to store the pulled User records with the Risk Scores | ~ 16 mins |
User Agent
netskope-ce-5.1.0-cre-knowbe4-v1.0.0
Workflow
- Create API token on KnowBe4.
- Configuring the KnowBe4 plugin.
- Add a Risk Exchange Business Rule for KnowBe4.
- Add a Risk Exchange Action for KnowBe4.
- Validate the KnowBe4 plugin.
Click play to watch a video.
Create an API Token on KnowBe4
- Log in to your KnowBe4 platform.
- Go to Account Settings.
- Go to Account Integration > API and click Reporting API.
- Click Create New API Token.
- Enter name for the token and click Create Token.
- Copy the Token and save it because it is used to configure the KnowBe4 plugin.
- Press OK.
Configure the KnowBe4 Plugin
- In Cloud Exchange, go to Settings > Plugins. Search for and select the KnowBe4 v1.0.0 (CRE) plugin box.
- Enter the Basic Information:
- Configuration Name: Enter a name for the configuration.
- Sync Interval: Interval to fetch data from this plugin source.
- Click Next. Enter the Configuration Parameters:
- Base URL: The Base URL of KnowBe4 instance, like https://ca.api.knowbe4.com.
- API Token: The API Token generated previously.
- Click Next. Select the Entity from the Entity dropdown.
The Entity fields can be created from the Schema editor page or using the + Add Field option from the field dropdown.
Provide the field mapping. For the suggested mapping, refer to the Mappings section. - Click Save.
Add a Risk Exchange Business Rule for KnowBe4
Use Business Rule to filter out the Users. Follow the below steps to configure a business rule.
- In Risk Exchange, go to Business Rules and click Create New Rule.
- Enter a Business Rule name, Entity, and provide the filter as per your requirement to perform Actions.
- Click Save.
Add a Risk Exchange Action for KnowBe4
KnowBe4 only supports the No Action action.
No Action
This action will not perform any kind of action. You can use this action to generate the UBA alerts in the Ticket Orchestrator module.
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business Rule, plugin Configuration, and Action (No action).
- Click Save.
Note that Generate Alert must be enabled while creating this Action to generate alerts in Ticket Orchestrator > Alerts (the Ticket Orchestrator module must be enabled).
You can perform the Update UCI Score on the Users pulled from KnowBe4 on the Netskope tenant.
Validate the KnowBe4 Plugin
Validation on Cloud Exchange
To validate the User records pulled from KnowBe4, go to Logging and search for logs pulled from the KnowBe4 plugin.
Example: message Like “[CRE KnowBe4]”
To check the pulled data, go to Records, select the type of Entity you used while configuring the KnowBe4 plugin. Check the pulled records.
For a User Risk Score of ‘0,’ the UI will display ‘-‘, and for a User Risk Score of ‘100,’ the Netskope Normalized Risk Score in the UI will also display ‘-‘.
Check for the logs in Logging for the KnowBe4 plugin for the actions performed.
If the Require Approval toggle is enabled while configuring the action, make sure to provide the approval from the Action Log page by selecting the pending approval entries, and selecting the Approval toggle.
Validate on KnowBe4
Users are pulled from Account Settings > Account Integrations > Phish Alert > See PAB User Activity in KnowBe4.
To validate the Users, go to Account Settings > Account Integrations > Phish Alert > See PAB User Activity.
Troubleshooting the KnowBe4 Plugin
Receiving error in the plugin workflow
CRE KnowBe4 [CRE KnowBe4]: Validation error occurred, Received exit code 401, Unauthorized, Verify Base URL and API Token provided in the configuration parameters.
What to do:
- Verify the API Token for KnowBe4 for reference; refer to Configure the KnowBe4 Plugin.
- Verify the Base URL for KnowBe4 platform; refer to Connectivity to the following host in the Prerequisites.
Users are not pulled from KnowBe4
If no data for the User is pulled, it might be due to either:
- No User is available on the platform to pull.
- Mapping is not added in the plugin.
What to do:
- Go to KnowBe4 and check if the Users are available to pull from the Account Settings > Account Integrations > Phish Alert > See PAB User Activity page.
- Edit the plugin configuration and check the Entity Source page. There should be some fields mapped in order to pull the same.