KnowBe4

The KnowBe4 App for Sumo Logic allows you to easily integrate data from KnowBe4, a security awareness training and simulated phishing platform, into your Sumo Logic account. This App provides an overview of your organization's phishing security testing performance. It includes metrics on the total number of tests, active tests, recipient users, failed recipient users, and distribution of status.

The distribution of Phishing Security Tests by difficulty and long-running Phishing Security Tests panels offer insights into the difficulty level of the phishing tests and identify tests that have been running for an extended period. The app's Phish Prone Percentage dashboard panel helps you understand the percentage of users who are at higher risk of falling for a phishing attack.

The Geo Location of Failed Users dashboard panel provides geographic insights into where failed users are located. The Phishing Security Tests Summary and Phish Failures Summary dashboard panels provide high-level summaries of the organization's testing performance. Finally, the Top Failed Users panel identifies users who have failed multiple tests and may require additional training.

Log types

The Sumo Logic App for KnowBe4 consumes Phishing Security logs. Refer to the KnowBe4 Phishing Security Tests and Recipient Results documentation.

Sample log messages

Sample Phishing Security Tests Log

{
  "campaign_id": 1892087,
  "pst_id": 8805725,
  "status": "Closed",
  "name": "Mar2023_NA_SUMOs",
  "groups": [
    {
      "group_id": 3552357,
      "name": "Monthly Campaign - NA"
    }
  ],
  "phish_prone_percentage": 0.277,
  "started_at": "2023-03-06T17:13:27.000Z",
  "duration": 7,
  "categories": [
    {
      "category_id": 5013,
      "name": "My Templates"
    }
  ],
  "template": {
    "id": 4813400,
    "name": "Google Calendar",
    "difficulty": 5,
    "type": "USER"
  },
  "landing_page": {
    "id": 183506,
    "name": "Sumo Landing Page"
  },
  "scheduled_count": 625,
  "delivered_count": 625,
  "opened_count": 328,
  "clicked_count": 171,
  "replied_count": 2,
  "attachment_open_count": 0,
  "macro_enabled_count": 0,
  "data_entered_count": 0,
  "qr_code_scanned_count": 0,
  "reported_count": 0,
  "bounced_count": 0
}

Sample Recipient Results Log

{
  "recipient_id": 1498372653,
  "pst_id": 8805725,
  "user": {
    "id": 81394383,
    "provisioning_guid": "usr-63f633eb290af6f38a075108",
    "first_name": "Beata",
    "last_name": "Franzone",
    "email": "bfranzone@sumologic.com"
  },
  "template": {
    "id": 4813400,
    "name": "Google Calendar",
    "difficulty": 5,
    "type": "USER"
  },
  "scheduled_at": "2023-03-06T17:14:33.000Z",
  "delivered_at": "2023-03-06T17:15:04.000Z",
  "opened_at": "2023-03-06T20:35:41.000Z",
  "clicked_at": "2023-03-06T20:35:41.000Z",
  "replied_at": null,
  "attachment_opened_at": null,
  "macro_enabled_at": null,
  "data_entered_at": null,
  "qr_code_scanned": null,
  "reported_at": null,
  "bounced_at": null,
  "ip": "68.55.88.203",
  "ip_location": "Rochester Hills, MI",
  "browser": "Chrome",
  "browser_version": "110",
  "os": "mac"
}

Sample queries

Total Phishing Security Tests

_sourceCategory="knowbe4nfr" campaign_id
| json "campaign_id", "pst_id", "status", "name", "phish_prone_percentage", "started_at", "duration", "template.name", "template.difficulty", "scheduled_count", "delivered_count", "opened_count", "clicked_count", "replied_count", "attachment_open_count", "macro_enabled_count", "data_entered_count", "qr_code_scanned_count", "reported_count", "bounced_count" as campaign_id, pst_id, status, name, phish_prone_percentage, started_at, duration, template_name, template_difficulty, scheduled_count, delivered_count, opened_count, clicked_count, replied_count, attachment_open_count, macro_enabled_count, data_entered_count, qr_code_scanned_count, reported_count, bounced_count nodrop
| first(status) as status group by pst_id, name
| where status matches "{{status}}"
| count_distinct(pst_id)

Total Recipient User

_sourceCategory="knowbe4nfr" recipient_id
| json "recipient_id", "pst_id", "user.first_name", "user.last_name", "user.email", "scheduled_at", "delivered_at", "opened_at", "clicked_at", "replied_at", "attachment_opened_at", "macro_enabled_at", "data_entered_at", "qr_code_scanned", "reported_at", "bounced_at", "ip", "ip_location", "browser", "browser_version", "os" as recipient_id, pst_id, first_name, last_name,
email, scheduled_at, delivered_at, opened_at, clicked_at, replied_at, attachment_opened_at, macro_enabled_at, data_entered_at, qr_code_scanned, reported_at, bounced_at, ip, ip_location, browser, browser_version, os nodrop
| where ip_location matches "{{user_location}}"
| count_distinct(recipient_id)

Collection configuration and app installation

Depending on the set up collection method, you can configure and install the app in three ways:

• Create a new collector and install the app. Create a new Sumo Logic Cloud-to-Cloud (C2C) source under a new Sumo Logic Collector and later install the app; Or
• Use an existing collector and install the app. Create a new Sumo Logic Cloud-to-Cloud (C2C) source under an existing Sumo Logic Collector and later install the app; Or
• Use existing source and install the app. Use your existing configured Sumo Logic Cloud-to-Cloud (C2C) source and install the app.

info

Use the Cloud-to-Cloud Integration for KnowBe4 to create the source and use the same source category while installing the app. By following these steps, you can ensure that your KnowBe4 app is properly integrated and configured to collect and analyze your KnowBe4 data.

Create a new collector and install the app

To set up collection and install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Create a new Collector.
   1. Collector Name. Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
   2. Timezone. Set the default time zone when it is not extracted from the log timestamp. Time zone settings on Sources override a Collector time zone setting.
   3. (Optional) Metadata. Click the +Add Metadata link to add custom log Metadata Fields. Define the fields you want to associate, each metadata field needs a name (key) and value.
      • A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
      • An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
   4. Click Next.
5. Use the new Cloud-to-Cloud Integration to configure the source.
6. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
7. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Use an existing collector and install the app

To setup source in the existing collector and install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Use an existing Collector.
5. From the Select Collector dropdown, select the collector that you want to setup your source with and click Next.
6. Use the new Cloud-to-Cloud Integration to configure the source.
7. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
8. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Use an existing source and install the app

To skip collection and only install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. In the Set Up Collection section of your respective app, select Skip this step and use existing source and click Next.
5. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Viewing the KnowBe4 Dashboards​

All dashboards have a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

You can use filters to drill down and examine the data on a granular level.

Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.

Overview

The KnowBe4 - Overview dashboard provides an overview of phishing security tests. It provides insights into the test results, including the total number of tests, active tests, and recipient users. Additionally, the dashboard displays the distribution of test status, the level of difficulty of the tests, and the phish-prone percentage. The dashboard also includes a summary of the phishing security tests and failures, as well as the top failed users and their geo-locations. These insights can help organizations identify areas that require further attention and improve their overall security posture against phishing attacks.