The KnowBe4 API integration collects user events data into Sumo Logic for storage, analysis, and alerting. It ingests events data from the Events API, phishing security tests from the Phishing Security Tests API, and recipient results from the Recipient Results API.
Before you begin setting up your KnowBe4 Source, which is required to connect to the KnowBe4 API, you'll need to configure your integration with the Region and KnowBe4 API Token.
KnowBe4 APIs are only limited to Platinum and Diamond customers.
The Region is the region where your KnowBe4 account is located. To know your region, follow the steps below:
- Sign in to the KnowBe4 application.
- At the top of the browser, you will see the Region inside the address bar.
- Choose the Region from the dropdown based on the location of your KnowBe4 account. The following are the supported regions:
The API security token is used to authenticate with KnowBe4 API. To get the KnowBe4 API token, follow the steps below:
- Sign in to the KnowBe4 application as an Admin user.
- Navigate to the Account Settings.
- Click Account Integrations from the left menu, and then click API option.
- Under the API section, checkmark the Enable Reporting API Access. The KnowBe4 Secure API token is displayed.
- Save this API key to use while configuring the Source.
- Click Save Changes.
If the Source is configured with the SIEM forward option, the metadata field
_siemparser will be set to /Parsers/System/KnowBe4/KnowBe4 KMSAT.
_siemparser is currently available only for the External Events source.
The KnowBe4 integration fetches two types of data sources for the KnowBe4 account.
- Phishing Tests. Our integration fetches a list of all recipients for each phishing security test on the KnowBe4 account.note
C2C will skip the record if
started_atdata is not in the format of
- External Events. Our integration uses KnowBe4's User Event API to collect security-related events or training activities from external sources.
A KnowBe4 API integration Source is an integrated Security Awareness Training and Simulated Phishing platform that helps to train users to understand the dangers of spam, phishing, spear phishing, malware, ransomware, and social engineering through simulated phishing and security awareness training.
When a KnowBe4 API Source is created, it goes through the following states:
- Pending. Once the Source is submitted, it is validated, stored, and placed in a Pending state.
- Started. A collection task is created on the Hosted Collector.
- Initialized. The task configuration is completed in Sumo Logic.
- Authenticated. The Source is successfully authenticated with KnowBe4.
- Collecting. The Source is actively collecting data from KnowBe4.
If the Source has any issues during any one of these states, it is placed in an Error state.
When you delete the Source, it is placed in a Stopping state. When it has successfully stopped, it is deleted from your Hosted Collector.
Hover your mouse over the status icon to view a tooltip with a count of the detected errors and warnings.
Set up KnowBe4 Source
When you create a KnowBe4 API Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.
To configure the KnowBe4 API Source:
- In Sumo Logic, select Manage Data > Collection > Collection.
- On the Collectors page, click Add Source next to a Hosted Collector.
- Select KnowBe4 icon.
- Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
- (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and value.
- A green circle with a check mark is shown when the field exists in the Fields table schema.
- An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
- In Region, choose the region where your KnowBe4 account is located. See Region section to know your Region.
- In API Key, authenticate your account by entering your secret API key. You can access your API key or generate a new one from User Event API Management Console. See API Token section.
- In Data Types, you can select the Phishing Tests data type to fetch a list of all recipients for each phishing security test on your KnowBe4 account.
- In Phishing Poll Interval, enter the phishing poll interval frequency, which must be between 1 hour and 24 hours.
- When you are finished configuring the Source, click Submit.
When Sumo Logic detects an issue, it is tracked by Health Events. The following table shows three possible error types. It tells the reason for the error, if the source attempts to retry, and the name of the event log in the Health Event Index.
|Type||Reason||Retries||Retry Behavior||Health Event Name|
|ThirdPartyConfig||Normally due to an invalid configuration. You'll need to review your Source configuration and make an update.||No retries are attempted until the Source is updated.||Not applicable||ThirdPartyConfigError|
|ThirdPartyGeneric||Normally due to an error communicating with the third-party service APIs.||Yes||The Source will retry indefinitely.||ThirdPartyGenericError|
|FirstPartyGeneric||Normally due to an error communicating with the internal Sumo Logic APIs.||Yes||The Source will retry indefinitely.||FirstPartyGenericError|
Restarting your Source
If your Source encounters ThirdPartyConfig errors, you can restart it from either the Sumo Logic UI or Sumo Logic API.
To restart your source in the Sumo Logic platform, follow the steps below:
- Open the Collection page, and go to Manage Data > Collection > Collection.
- Select the source and click the information icon on the right side of the row.
- The API usage information popup is displayed. Click the Restart Source button on the bottom left.
- Click Confirm to send the restart request.
- The bottom left of the platform will provide a notification informing you the request was successful.
To restart your source using the Sumo Management API, follow the instructions below:
- Example endpoint:
Sumo Logic endpoints like
api.sumologic.com are different in deployments outside
us1. For example, an API endpoint in Europe would begin
api.eu.sumologic.com. A service endpoint in
us2 (Western U.S.) would begin
service.us2.sumologic.com. For more information, see Sumo Logic Endpoints.
Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for details.
|JSON Object||Yes||Contains the configuration-parameters of the Source.||na|
|JSON Object||Yes||Use ||not modifiable|
|String||Yes||Use ||not modifiable|
|String||Yes||Type the desired name of the Source and it must be unique per Collector. This value is assigned to the ||modifiable|
|String||No||Type the description of the Source.||modifiable|
|String||No||Type the category of the source. This value is assigned to the metadata field ||modifiable|
|JSON Object||No||JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field ||modifiable|
|String||Yes||Region of the KnowBe4 application.||modifiable|
|String||Yes||Secret api key to authenticate your account.||modifiable|
|Array||Yes||Data sources to fetch from KnowBe4.||modifiable|
|Integer||Yes||The Polling interval for phishing data requests. The minimum interval is 1 hour, and the maximum is 24 hours.||modifiable|
"description": "Test Source",
"type": "KnowBe4 KMSAT"
There are two limitations to access KnowBe4 APIs:
- Access to the KnowBe4 Event APIs is limited to 10 requests per licensed user account per day, with a maximum of 4 requests per second.
- Access to the KnowBe4 Phishing APIs is limited to 1,000 requests per day plus the number of licensed users on the account. The API allows a maximum of 4 requests per second, and has a burst limit of 50 requests per minute which starts around 5 minutes and the daily limit starts around 24 hours from the first API request.