Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Use Smart Groups

Updated:

Created:

Using Smart Groups

If you are a Platinum or Diamond customer, you can use our Smart Groups feature to create groups based on the criteria that you choose. Users are dynamically added and removed from Smart Groups based on these criteria. You can use this feature to phish and train specific groups of users, generate detailed reports, and more.

To learn more about Smart Groups, see the sections below or watch our Introduction to Smart Groups video.

Jump to:

What Can I Use Smart Groups For?

How to Create a Smart Group

Managing Users in a Smart Group

Criteria Types and Options

Frequently Asked Questions (FAQs)

 

What Can I Use Smart Groups For?

You can use Smart Group criteria to create automatic groups that organize users for phishing and training purposes. You can define criteria to create groups of users based on their location, job title, training status, phishing failures, assessment scores, and more.

Smart Groups also allow you to automate workflows within your KnowBe4 console. For example, you can create a Smart Group of users who have failed a specific number of phishing tests. You can then create a remedial training campaign and assign the training to this Smart Group. If your users fail the specific number of phishing tests, they will be automatically enrolled in the Smart Group and assigned remedial training.

For more information about how you can use Smart Groups in your organization, see our How to Use Smart Groups: Use Cases article.

Back to top

 

How to Create a Smart Group

To create a Smart Group, follow the steps below:

  1. Log in to your KMSAT console and navigate to Users > Groups.
  2. Click the +Create New Group button at the top-right corner of the page.
  3. Enter a group name in the Group Name field.
  4. (Optional) Set Security Roles or a Risk Booster for your Smart Group. For more information about these settings, see our How Do I Create a New Group? article.
  5. Select the Make this a Smart Group check box.
  6. Click Create Group. When you click this button, the Smart Group’s overview page will open.
  7. From this page, click the Smart Group Criteria drop-down menu and select the criteria type you’d like to set for your Smart Group. See the Criteria Types and Options section of this article for more information.
  8. When you select the criteria type, a pop-up window will open. In this pop-up window, you can customize the options for the criteria type such as the condition, scope, and time frame. Select the options that you’d like, then click Save. The example below shows the Training criteria type.
  9. Continue to add criteria types and customize the Smart Group. You can add up to five criteria rules per Smart Group. When you add criteria rules to the Smart Group, the criteria rules will be listed under the Smart Group Criteria section.
  10. Once you add all your criteria rules, click the Save button at the bottom of the Smart Group Criteria section. When you click Save, the Smart Group will automatically populate with the users who fit all the specific criteria rules.

You can enable the Show User Counts toggle to display a number in a green box for each criteria rule. This number represents the amount of users who fit that criteria rule and the criteria rule above.

If you set more than one criteria rule, you can click the chart icon at the top-right corner of the Smart Group Criteria section. This chart icon will show you a Venn diagram of users who fit your criteria.

Each circle of the Venn diagram represents a different criteria rule. The color of the circle corresponds with the color of each rule. You can hover your cursor over a section of the diagram to see more information about the users in the Smart Group.

Note: Users must meet all defined criteria rules to be included in a specific Smart Group. For example, if you set a criteria rule for users located in the Southwest and another criteria rule for users who have phishing failures, the Smart Group will only include users who live in the Southwest and have failed a phishing test. However, users only need to meet one of the options within a criteria rule to meet the requirements for that criteria rule. For example, if you create a criteria rule using the Location user field, you can enter Southwest as a value and Northeast as another value. This criteria rule will include all users who are located in either the Southwest or the Northeast.

Back to top

 

Managing Users in a Smart Group

You can’t manually add or remove users from a Smart Group. However, you can manage these users in other ways.

In the Users section of the Smart Group’s overview page, you can view the users that are in the Smart Group. You can click the Status and Type drop-down arrows to narrow down the list of users that you see. To edit a user’s information or grant a user admin access, click the drop-down arrow in the Actions column (click to view).

For more information about managing users, see our Users and Groups article.

Back to top

 

Criteria Types and Options

When you create a Smart Group, you can use any combination of options and create up to five criteria rules per group. For more information about criteria types and options, click the criteria type or option in the list below:

Back to top 

 

Time Frame Options

Some criteria types include time frame options. These options are Range, Duration, and Any. Click the tabs below to learn more about each option. 

Range

Click the Range option to only use criteria within a selected date range. Date ranges are calculated in Coordinated Universal Time (UTC-00:00). You can use the Range option to set a few specific date ranges: specific start and end dates, on or after a specific date, and on or before a specific date. 

Specific Start and End Dates

To set a specific start and end date, follow the steps below: 

  1. Click the first calendar icon, then select your desired start date.
  2. Click the second calendar icon field, then select the day after your desired end date.

Note: KnowBe4 calculates date ranges in UTC (-00:00), so adding one day to the end of your desired end date will account for any time zone differences. For example, if you’d like to create a Smart Group of users who failed phishing tests between the dates of 7/21/2021 and 7/31/2021, we recommend that you select 7/21/2021 and 8/01/2021.

On or After a Specific Date

To specify your criteria by events that occurred on or after a specific date, click the first calendar icon and select your desired start date. Leave the second date field blank.

On or Before a Specific Date

To specify your criteria by events that occurred on or before a certain date, click the second calendar icon and select your desired end date. Leave this first date field blank.

Duration

Click the Duration option to specify your criteria using relative duration. You can choose either Prior to the last or In the last. Then, you can choose a specific number of days, weeks, or months.

Follow the steps below to set a duration. 

  1. From the first drop-down menu, select Prior to the last or In the last.
  2. In the second field, enter a number. You can type a number into the field or click the plus and minus buttons to change the number.
  3. From the second drop-down menu, select a unit of time. You can choose days, weeks, or months.

In the example screenshot to the left, these options would populate any user who was enrolled in training in the last three months.

Any

Click the Any option to include any time since you created your KnowBe4 account. This option also includes future instances.

Back to top

 

User Field Criteria

The User Field criteria type filters users based on the fields in their User Information tab. See below for information about each option:

  1. User Field: Select your User Field. You can choose from several options, such as First Name, Manager Name, and Job Title. Click here to view a full list of possible fields.
  2. Condition: Select either Must or Must Not.
  3. Comparison: Select one of the following options: Equal, Contains, Starts with, Ends with, Greater than, or Less than.
  4. Values: In the field, type the specific value that you’d like to filter by. For example, type “Southwest" for location or “20" for Phish-prone Percentage. You can also leave this field blank if you don’t have a specific value you want to filter by. This field is not case sensitive.

The screenshot above creates the following rule:

User Field

The Phish-prone Percentage must be greater than 50.

Back to top

 

User Date Criteria 

The User Date criteria type filters by user-specific dates. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Date Type: Select one of the following options: Created, Last Login, Employee Start Date, Custom Field 1, or Custom Field 2.
  3. Time Frame: See the Time Frame Options section of this article for more information.

The screenshot above creates the following rule:

User Date

User must have employee start date from 01/01/2019 through 31/12/2019.

Back to top

 

Phish Event Criteria

The Phish Event criteria type filters users based on their actions with simulated phishing tests. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Phish Event: See the Phish Event Options section of this article for more information.
  3. Comparison: Select from Equal, Greater than, or Less than.
  4. Count: Set a count for this rule. You can either type a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: See the Time Frame Options section of this article for more information.

The screenshot above creates the following rule:

Phish Event

User must not have had enabled a macro more than 1 times.

Back to top

 

Phish Event Options

The criteria types Phish Event, PhishFlip Event, and After Training require you to select a phish event option. A phish event is what happens when a user receives a Phishing Security Test (PST).

Each email sent in a phishing campaign is a PST. If a user interacts with the email in an unsafe way, that action is called a failure and the user fails the test. Phishing campaigns are designed to test multiple attack vectors, so a user could have multiple failures from one failed phishing test. For example, if a user clicks on a simulated phishing link and enters data on a landing page, that user has two failures, but only one failed phishing test. 

For more information about the phish event options and their functions, see the table below.

Criteria Option

Function

Failed Phishing Test

Counts the number of PSTs that a user failed.

Passed Phishing Test

Counts the number of PSTs that a user has not failed.

Any Failures

Counts the number of failures that a user has had.

Any Failures But Clicks

Counts the number of failures that a user has had, excluding failures where the user clicked on a simulated phishing link. 

Clicked

Counts the number of simulated phishing links a user has clicked on.

Replied

Counts the number of times a user has replied to a phishing test email.

Opened Attachment

Counts the number of times a user has opened a file that was attached to a phishing test email.

Enabled macro

Counts the number of times a user has enabled macros in a file that was attached to a phishing test email.

Entered data

Counts the number of times a user has clicked on a simulated phishing link and entered information on a data-entry landing page. 

Reported

Counts the number of times a user reported a phishing test email using the Phish Alert Button.
This option includes all users who reported the phishing test email, even users who failed the test before or after reporting the email.

Delivered

Counts the number of times a user has received a phishing test email.

Bounced

Counts the number of times a user was sent a phishing test email but did not receive the email.
You can view the reason for the bounced email in the Users tab of an individual campaign. See our How to Monitor and Review Phishing Campaigns article for more information.

Opened

Counts the number of phishing test emails opened by a user, regardless of the outcome of the phishing test.

Back to Top

 

PhishFlip Event Criteria

The PhishFlip Event criteria type filters users based on their actions with simulated phishing tests from a PhishFlip campaign. These criteria types are only available if you are using PhishER and PhishFlip features. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. PhishFlip Event: See the Phish Event Options section of this article for more information.
  3. Comparison: Select from Equal, Greater than, or Less than.
  4. Count: Set a count for this rule. You can type a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: See the Time Frame Options section of this article for more information.

The screenshot above creates the following rule:

PhishFlip Event

User must not have clicked on a flipped phishing email in the last 6 months.

 Back to top

 

Breach Event Criteria

The Breach Event criteria type filters users based on whether or not they have been involved in a data breach.
This event will be automatically added to the user’s User Timeline when an Email Exposure Check Pro (EEC Pro) scan finds that the user has been involved in a data breach. See below for information about each option:

 

  1. Condition: Select either Must or Must Not.
  2. Breach Event: Security Breach is the only option. This option includes all reported data breaches and is selected by default.
  3. Comparison: Select from Equal, Greater than, or Less than.
  4. Count: Set a count for this rule. You can type a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: See the Time Frame Options section of this article for more information.

The screenshot above creates the following rule:

Breach Event

User must have been in a security breach more than 1 time.

Back to top

 

Training Criteria 

The Training criteria type filters users based on their involvement in training campaigns. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Training Event: Select Enrolled, Started, or Completed.
  3. Scope: Select Any Selected, All Selected, or Any Available. The Any Available option includes all assignments available to your users.
  4. Assignments: Select one or more training assignments. You can type the assignment name in the field or select the assignment from the drop-down menu. If you selected Any Available for the scope, you will not see this field.
  5. Time Frame: See the Time Frame Options section of this article for more information.

The screenshot above creates the following rule:

Training

User must have started in all of these 2 assignments in the last 2 months.
Note: If Optional Learning is enabled for your account, it is possible that a user enrolls in or completes the training content selected for this criteria. This scenario is unlikely but it could impact whether or not the user is added to the Smart Group.

Back to top

 

After Training Criteria

The After Training criteria type filters users based on their actions with simulated phishing tests after they completed training assignments. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Phish Event: See the Phish Event Options section of this article for more information.
  3. Training Event: Select Enrolled, Started, or Completed.
  4. Assignments: Select one or more training assignments. You can type the assignment name in the field or select the assignment from the drop-down menu.

The screenshot above creates the following rule:

After Training

User must have reported a phishing email after completing Using the Phish Alert Button: Report Suspicious Emails.

Back to top

 

Assessments Criteria 

The Assessments criteria type filters users based on their assessment scores. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Scope: Select Any Selected, All Selected, or Entire Assessment. The Entire Assessment option includes all the knowledge areas and if selected, the Knowledge Areas option will not be visible.
  3. Knowledge Areas: Select one or more knowledge areas. These knowledge areas include Passwords & Authentication, Email Security, Internet Use, Social Media, Mobile Devices, Incident Reporting, and Human Firewall. For more information about knowledge areas, see our What Is the Security Awareness Proficiency Assessment (SAPA)? article.
  4. Comparison: Select Equal, Greater than, or Less than.
  5. Score: Set a score. You can type a number into the field or click the plus and minus buttons to change the value.
  6. Time Frame: See the Time Frame Options section of this article for more information.
    Note: The Assessments criteria rule has an additional time frame option: Most Recent. If you select the Most Recent option, only the most recent completed assessment will be included in the criteria rule.

The screenshot above creates the following rule:

Assessment

User must have scored more than 80% in Social Media.

Back to top

 

Custom Event Criteria

The Custom Event criteria type filters users based on external user data imported into the console using the User Event API. See below for information about each option:

Note: The Custom Event criteria type will not be available until you import custom events into your KnowBe4 console.

  1. Condition: Select either Must or Must Not.
  2. Event Type: Select the event type that you created using the User Event API.
  3. Event Source (optional): Select a specific source previously created for this event.
  4. Event External Id (optional): Select the specific external id previously created for this event.
  5. Description (optional): Enter the word or phrase within the description of the custom event. This option is not case sensitive.
  6. Matcher: Select Equal, Greater than, or Less than.
  7. Count: Set a count for this rule. You can type a number into the field or click the plus and minus buttons to change the value.
  8. Time Frame: See the Time Frame Options section of this article for more information.

The screenshot above creates the following rule:

Custom Event

User must have the specified Example Event event type more than 3 times.

Back to top

 

PasswordIQ Event Criteria

The PasswordIQ Event criteria type filters based on PasswordIQ events. These events include when a user is detected to have a vulnerability and when a user is not detected to have a vulnerability. See below for information about each option:

Password IQ Event Criteria

  1. Condition: Select either Must or Must Not.
  2. PasswordIQ Event: Select the type of event you would like to filter by. For more information about these options, see the list below:
    • Any Status Change: Select this option to filter by status changes or initial scans for the selected vulnerability.
    • Status Change: Select this option to filter by users who had a status change for the selected vulnerability during the selected time frame. For example, users who were not detected to have the vulnerability and then later detected to have the vulnerability would be included in this filter.
    • Initial Scan: Select this option to filter by detections of the selected vulnerability during the initial scan.
  3. Vulnerability: Select the vulnerability you would like to filter by. For more information, see the Vulnerabilities section of our PasswordIQ Product Manual.
  4. Detection Status: Select either Detected or Not Detected to filter by users who were detected or not detected to have the vulnerability. 
  5. Comparison: Select Equal, Greater than, or Less than.
  6. Count: Set a count for this rule. You can type a number into the field or click the plus and minus buttons to change the value.
  7. Time Frame: See the Time Frame Options section of this article for more information.

Back to top

 

PasswordIQ State Criteria

The PasswordIQ State criteria type filters based on the current state of PasswordIQ detections. The current state is determined by your most recent scan. For example, you could use this criteria type to filter by users who were detected to have the Weak Password vulnerability in your most recent scan. See below for information about each option:

PasswordIQ State Criteria

  1. Vulnerability: Select the vulnerability you would like to filter by. For more information, see the Vulnerabilities section of our PasswordIQ Product Manual.
  2. Detection Status: Select either Detected or Not Detected to filter by users who were detected or not detected to have the vulnerability.

Back to top

SecurityCoach Detection Rules Criteria

The SecurityCoach Detection Rules criteria type filters users based on the number of detection rules they have triggered. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Detection Rules: Select one or more detection rules.
  3. Matcher: Select Equal, Greater than, or Less than.
  4. Count: Set a count. You can type a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: See the Time Frame Options section of this article for more information.

Back to top

 

SecurityCoach Real-Time Coaching Criteria

The SecurityCoach Real-Time Coaching criteria type filters users based on the number of SecurityTips they have received from your real-time coaching campaigns. See below for information about each option:

  1. Condition: Select either Must or Must Not.
  2. Real-Time Coaching Campaigns: Select one or more real-time coaching campaigns.
  3. Matcher: Select Equal, Greater than, or Less than.
  4. Count of Coaching Notifications Delivered: Set a count. You can type a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: See the Time Frame Options section of this article for more information.

Back to top

 

Frequently Asked Questions (FAQs)

Q: Can users be included in multiple Smart Groups?

  • A: Yes, users will be included in any Smart Group that they meet the specific criteria for.

 

Q: How do I know which of my groups are Smart Groups in the Groups tab?

  • A: You'll see a blue icon on the left side of the Smart Group name. This icon is only used for Smart Groups.

 

Q: Can I change the name of a Smart Group?

  • A: Yes, you can change the name of a Smart Group. To change the name of a Smart Group, follow the steps below:
  1. Navigate to Users > Groups.
  2. Click the drop-down arrow in the Actions column.
  3. Select Edit.
  4. After you change the group name, click the Update Group button.

Changing the name will not impact the users or criteria rules in the Smart Group.

 

Q: Can I edit the Smart Group criteria after I create the group?

  • A: Yes, you can edit Smart Group criteria. However, please note that Smart Groups are dynamic. Any users who do not meet the updated criteria will be removed from the group, and any users who meet the updated criteria will be added to the group.

 

Q: Why am I unable to create a Smart Group in my account?

  • A: This feature is only available to Platinum and Diamond customers. If you’re interested in upgrading your subscription, contact your Customer Success Manager.

 

Q: How often are Smart Group enrollments updated?

  • A: Smart Group enrollments are updated every 15 minutes or less.

 

Q: Do Smart Groups include archived users?

  • A: No, Smart Groups only include active users.

 

Q: Can I sync members from my Active Directory into a Smart Group?

  • A: No, you can’t add or sync users into a Smart Group. This rule also applies if you create a Smart Group with the same name as a group in your Active Directory. You will receive an ADI sync error if you try to import that Active Directory group.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles