KnowBe4 v1.0.0 Plugin for Risk Exchange

KnowBe4 v1.0.0 Plugin for Risk Exchange

This document explains how to configure the KnowBe4 v1.0.0 plugin for the Risk Exchange module of the Netskope Cloud Exchange platform. This plugin is used to fetch users from the PAB User Activity page of the KnowBe4 platform. The PAB User Activity page can be found at KnowBe4 platform > Account Settings > Account Integrations > Phish Alert > See PAB User Activity. The plugin does not support performing any actions on users in KnowBe4.

Netskope normalization score calculation for users > (1000 – (KnowBe4’s Current Risk Score) x 10).

Prerequisites

To complete this integration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances).
  • A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
  • A BASE URL and API Token for KnowBe4.
  • Connectivity to the following host: https://*.api.knowbe4.com.
CE Version Compatibility

Netskope CE v5.1.0

KnowBe4 Plugin Support

KnowBe4 supports fetching users from the PAB User Activity page of the KnowBe4 platform. The PAB User Activity page can be found at KnowBe4 platform > Account Settings > Account Integrations > Phish Alert > See PAB User Activity. The plugin does not support performing any actions on users in KnowBe4.

Type of data pulled

Users

Actions

No actions

Mappings

Mappings are used to view the pulled users and their respective details. Mapped fields during plugin configuration will be visible on the Records page once the data is pulled. Below is the suggested mapping that should be used while configuring the plugin.

Pull Mapping for Users
Plugin Field Expected Datatype Suggested Field Name Suggested Field Action
User ID Number User ID Unique
First Name String First Name Overwrite
Last Name String Last Name Overwrite
User Email String User Email Overwrite
User status String User status Overwrite
User Current Risk Score Number User Current Risk Score Overwrite
Netskope Normalized Risk Score Number Netskope Normalized Risk Score Overwrite
Normalized Score Calculation

The expected score type on KnowBe4 is in the range 0 to 1000. Netskope normalization score calculation for users > (1000 – (KnowBe4’s Current Risk Score) x 10).
Note that for Risk Score values 0, 100, and string, it will skip the calculation of Netskope normalization score.

Permissions

Ensure the user through which token will be created, has the necessary permissions to create an API token.

API Details
List of APIs Used
API Endpoint Method Use Case
v1/users GET Fetch Users
Fetch Users

API Endpoint: <Base URL>/v1/users
Method: GET
Headers

Key Value
Authorization Bearer <API Token>

Params

Key Value
page 1
per_page 500

Sample API Response

[
    {
        "id": 3460988,
        "employee_number": null,
        "first_name": "user",
        "last_name": "name",
        "job_title": null,
        "email": "user.name@test.com",
        "phish_prone_percentage": 50.0,
        "phone_number": "",
        "extension": "",
        "mobile_phone_number": "",
        "location": null,
        "division": null,
        "manager_name": null,
        "manager_email": null,
        "provisioning_managed": true,
        "provisioning_guid": null,
        "groups": [],
        "current_risk_score": 32.8,
        "aliases": [
             "user.name@test.com"
        ],
        "joined_on": "2024-06-19T18:15:58.000Z",
        "last_sign_in": "2024-10-22T12:03:55.000Z",
        "status": "active",
        "organization": null,
        "department": null,
        "language": null,
        "comment": null,
        "employee_start_date": null,
        "archived_at": null,
        "custom_field_1": null,
        "custom_field_2": null,
        "custom_field_3": null,
        "custom_field_4": null,
        "custom_date_1": null,
        "custom_date_2": null
    }
]
Performance Matrix

Here are the performance readings conducted on a Large CE Stack with these VM specifications by pulling 500K User records from KnowBe4 plugin.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Time take to store the pulled User records with the Risk Scores ~ 16 mins
User Agent

netskope-ce-5.1.0-cre-knowbe4-v1.0.0

Workflow

  1. Create API token on KnowBe4.
  2. Configuring the KnowBe4 plugin.
  3. Add a Risk Exchange Business Rule for KnowBe4.
  4. Add a Risk Exchange Action for KnowBe4.
  5. Validate the KnowBe4 plugin.

Click play to watch a video.

 

Create an API Token on KnowBe4

  1. Log in to your KnowBe4 platform.
  2. Go to Account Settings.
  3. Go to Account Integration > API and click Reporting API.
  4. Click Create New API Token.
  5. Enter name for the token and click Create Token.
  6. Copy the Token and save it because it is used to configure the KnowBe4 plugin.
  7. Press OK.

Configure the KnowBe4 Plugin

  1. In Cloud Exchange, go to Settings > Plugins. Search for and select the KnowBe4 v1.0.0 (CRE) plugin box.
  2. Enter the Basic Information:
    • Configuration Name: Enter a name for the configuration.
    • Sync Interval: Interval to fetch data from this plugin source.

  3. Click Next. Enter the Configuration Parameters:
    • Base URL: The Base URL of KnowBe4 instance, like https://ca.api.knowbe4.com.
    • API Token: The API Token generated previously.

  4. Click Next. Select the Entity from the Entity dropdown.
    The Entity fields can be created from the Schema editor page or using the + Add Field option from the field dropdown.
    Provide the field mapping. For the suggested mapping, refer to the Mappings section.
  5. Click Save.

Add a Risk Exchange Business Rule for KnowBe4

Use Business Rule to filter out the Users. Follow the below steps to configure a business rule.

  1. In Risk Exchange, go to Business Rules and click Create New Rule.
  2. Enter a Business Rule name, Entity, and provide the filter as per your requirement to perform Actions.
  3. Click Save.

Add a Risk Exchange Action for KnowBe4

KnowBe4 only supports the No Action action.

No Action

This action will not perform any kind of action. You can use this action to generate the UBA alerts in the Ticket Orchestrator module.

  1. In Risk Exchange, go to Actions and click Add Action Configuration.
  2. Select a Business Rule, plugin Configuration, and Action (No action).
  3. Click Save.
    Note that Generate Alert must be enabled while creating this Action to generate alerts in Ticket Orchestrator > Alerts (the Ticket Orchestrator module must be enabled).

You can perform the Update UCI Score on the Users pulled from KnowBe4 on the Netskope tenant.

Validate the KnowBe4 Plugin

Validation on Cloud Exchange

To validate the User records pulled from KnowBe4, go to Logging and search for logs pulled from the KnowBe4 plugin.
Example: message Like “[CRE KnowBe4]”

To check the pulled data, go to Records, select the type of Entity you used while configuring the KnowBe4 plugin. Check the pulled records.

For a User Risk Score of ‘0,’ the UI will display ‘-‘, and for a User Risk Score of ‘100,’ the Netskope Normalized Risk Score in the UI will also display ‘-‘.
Check for the logs in Logging for the KnowBe4 plugin for the actions performed.

If the Require Approval toggle is enabled while configuring the action, make sure to provide the approval from the Action Log page by selecting the pending approval entries, and selecting the Approval toggle.

Validate on KnowBe4

Users are pulled from Account Settings > Account Integrations > Phish Alert > See PAB User Activity in KnowBe4.
To validate the Users, go to Account Settings > Account Integrations > Phish Alert > See PAB User Activity.

Troubleshooting the KnowBe4 Plugin

Receiving error in the plugin workflow
CRE KnowBe4 [CRE KnowBe4]: Validation error occurred, Received exit code 401, Unauthorized, Verify Base URL and API Token provided in the configuration parameters.

What to do:

  1. Verify the API Token for KnowBe4 for reference; refer to Configure the KnowBe4 Plugin.
  2. Verify the Base URL for KnowBe4 platform; refer to Connectivity to the following host in the Prerequisites.
Users are not pulled from KnowBe4

If no data for the User is pulled, it might be due to either:

  • No User is available on the platform to pull.
  • Mapping is not added in the plugin.

What to do:

  1. Go to KnowBe4 and check if the Users are available to pull from the Account Settings > Account Integrations > Phish Alert > See PAB User Activity page.
  2. Edit the plugin configuration and check the Entity Source page. There should be some fields mapped in order to pull the same.
Share this Doc

KnowBe4 v1.0.0 Plugin for Risk Exchange

Or copy link

In this topic ...