SecurityCoach is an add-on product for the KnowBe4 Security Awareness Training (KSAT) console that is available for our SAT Foundation, SAT Advanced, Platinum, and Diamond-level customers to purchase. SecurityCoach can be used to coach your users about their behavior in real time using SecurityTips. You can customize your coaching experience by integrating your vendors, reviewing your detection rules, setting up real-time coaching campaigns, and choosing specific SecurityTip media and notifications to send to your users.

Before you can begin monitoring user behavior and coaching your users in real time, you will need to set up SecurityCoach in your KSAT console. To set up SecurityCoach, you must configure your vendor integrations, set up a delivery method for your SecurityTips, review your rule detections, and create a real-time coaching campaign.

To learn more about setting up SecurityCoach, see the subsections below.

Configuring Security Vendor Integrations

First, you'll need to set up your third-party vendor integrations in the SecurityCoach > Setup tab of your KSAT console. Once you set up a vendor integration, the vendor's data will be available in SecurityCoach. You can use this data to begin monitoring user behaviors.

For more information about setting up vendor integrations in SecurityCoach, see our Setting Up Integrations article.

Adding a Delivery Method

Email is pre-configured as the default delivery method for SecurityCoach. If you coach your users via email, SecurityTips will be sent to their user email address that is set in the Users tab of your KSAT console.

SecurityCoach also supports integrations with Google Chat, Microsoft Teams, and Slack. If your organization uses any of these platforms for communication, we recommend configuring one as your primary delivery method, so you can coach your users where they communicate most often.

For more information on setting up delivery methods, see our Configuring Delivery Methods article.

Mapping Users

Mapping your users to identifiers, such as a hostname, helps link user behavior to specific users. User mapping is done automatically for email and web security vendors using the user email addresses set in the Users tab of your KSAT console. You may also need to map additional identifiers for your endpoint security vendors. For example, you may need to map users to their hostnames, usernames, or device IDs.

You can configure mapping rules to automatically map users for you, manually map users by uploading a CSV file, or use a combination of both methods. SecurityCoach also provides mapping recommendations for you to review.

For more information about mapping users, see our Map Users in SecurityCoach article.

Reviewing Rule Detections

SecurityCoach provides system detection rules for each security vendor. Detection rules identify which user behaviors you would like to track using the data provided by your integrated vendors. When you integrate a vendor, these detection rules are enabled automatically, but you can also create custom detection rules for your organization's needs.

We recommend reviewing your top detection rules and prioritizing the user behaviors you want to target with your real-time coaching campaigns. To review your top detection rules, navigate to the Reports subtab of SecurityCoach and click Report for the Detection Rules Report. For more information, see our SecurityCoach Reporting Overview article.

To view all your detection rules, navigate to SecurityCoach > Detection Rules. For more information about detection rules, see our Detection Rules Guide.

Creating a Test Mode Campaign

To test how your real-time coaching campaigns will perform before you begin coaching your users, you can use our Test Mode feature to create a test mode campaign. In a test mode campaign, SecurityCoach detects user behaviors but does not send coaching to your users. You can turn your test mode campaign into a real-time coaching campaign at any time. For more information, see our Working with Test Mode Campaigns article.

Creating a Real-Time Coaching Campaign

Finally, we recommend creating a real-time coaching campaign. Real-time coaching campaigns send SecurityTips to users when user behaviors are detected. SecurityTips can be sent through Slack, Microsoft Teams, Google Chat, or email.

To create a real-time coaching campaign, navigate to the Real-Time Coaching subtab of SecurityCoach. For more information, see our Real-Time Coaching Campaigns Guide article.

SecurityCoach Workflow

The SecurityCoach workflow involves both SecurityCoach and the vendors that you have integrated. For more information, see the workflow list below:

1. Your integrated vendors monitor user behaviors using email, endpoint, and browser events.
2. The vendors share those events with SecurityCoach.
3. SecurityCoach processes this information and determines whether the vendor events match the criteria for any of your detection rules.
4. If an event matches a detection rule’s criteria, the detection rule is triggered, and the event is added to the responsible user’s events timeline.
5. If the detection rule is part of a real-time coaching campaign, the user will also receive a SecurityTip to coach their behavior.

SecurityCoach events can also influence your users’ and organization's Risk Score. For more information, see the Security Types section of our SmartRisk Agent™ and Risk Score Guide.

Navigating Your SecurityCoach Product

The SecurityCoach tab of your KSAT console includes six subtabs:

• Dashboard
• Real-Time Coaching
• Detection Rules
• SecurityTips
• Setup
• Reports

You can navigate these subtabs to view your SecurityCoach data, create real-time coaching campaigns, review detection rules, preview SecurityTips, set up configurations, view reports, and more. For more information about each of these subtabs, see the subsections below.

Dashboard

When you navigate to the SecurityCoach tab of your KSAT console, the Dashboard subtab will display automatically. In this subtab, you can read a quick overview of your SecurityCoach data, including charts and summaries.

During your initial setup, the dashboard will also display the SecurityCoach Setup section. This section guides you through the four steps to start your coaching program. After you create a real-time coaching campaign, this section will be replaced with your real-time coaching data.

For more information about the dashboard, see the screenshot and list below:

1. Last 90 days: Your dashboard will display data and activity from the last 90 days by default. However, you can change this date range by clicking on the Last 90 days drop-down list and selecting a different date range.
2. Notifications: Click the bell icon to view your SecurityCoach notifications.
3. Real-Time Coaching Summary: This section displays data for your real-time coaching campaigns.
4. SecurityTips Delivered: This section displays the total number of SecurityTips that have been sent to users.
5. Users Coached: This section displays the percentage of users who received SecurityTips.
6. Active Campaigns: This section displays the total number of active real-time coaching campaigns.
7. Vendor Events Summary: This section displays data for your vendor events.
8. Total Events: This section displays the number of events from your integrated vendors.
9. Users with Events: This section displays the number of users with events.
10. Mapped Events: This section displays the number of events mapped to users. The percentage represents the number of your organization’s events that are mapped.
11. Unmapped Events: This section displays the number of your organization’s events that aren’t mapped to a user. The percentage represents the number of your organization's events that aren’t mapped.
12. Top Detection Rules: This chart displays your 10 most common detections.
13. Top Users by Rule Detections: This section displays the users with the most rule detections.

Real-Time Coaching

You can create and manage real-time coaching campaigns and test mode campaigns by navigating to SecurityCoach > Real-Time Coaching subtab. Real-time coaching campaigns can be used to send SecurityTips to coach users when specific user behaviors are detected. SecurityTips can be sent through Slack, Microsoft Teams, Google Chat, or email.

For more information about setting up a real-time coaching campaign, see our Real-Time Coaching Campaigns Guide.

You can create a test mode campaign to see how your real-time coaching campaign will perform before you begin coaching your users. For more information about setting up a test mode campaign, see our Working with Test Mode Campaigns article.

Detection Rules

You can create and manage detection rules in SecurityCoach > Detection Rules. Detection rules identify what user behavior you would like to track from your integrated vendors. These detections will then appear on your users’ timelines. You can also create real-time coaching campaigns to send SecurityTips to users based on these rules.

For more information about creating and managing detection rules, see our Detection Rules Guide.

SecurityTips

The SecurityTips subtab displays the SecurityTip graphics and notification templates you can use in your real-time coaching campaigns. SecurityTips can be used to coach your users about their user behaviors and how to improve their security posture.

You can use our SecurityTip graphics or upload your own. SecurityTips are localized based on the recipient's training language. For more information about custom graphics, see our Upload Custom SecurityTip Graphics article.

To learn more about the SecurityTips subtab and how to use it, see our SecurityTips Guide.

Setup

In the SecurityTips > Setup subtab, you can configure your vendor integrations, map your users, and set up a delivery method for your SecurityTips. The Setup subtab includes the three pages listed below:

• Security Vendor Integrations: On this page, you can view your active vendor integrations, set up new vendor integrations, and fix broken vendor integrations. For more information about vendor integrations, see our Setting Up Integrations articles.
• User Mapping Setup: On this page, you can map your users, review mapping recommendations, and view reports related to user mapping. For more information about user mapping, see our Map Users in SecurityCoach article.
• Delivery Setup: On this page, you can set up and view your delivery methods for SecurityCoach. For more information about setting up delivery channels, see our Configuring Delivery Methods articles.

Reports

The Reports subtab includes reports based on your SecurityCoach security risks, detection rules, and real-time coaching campaigns. The reports are listed below:

• Detection Rules Report
• Real-Time Coaching Report
• Real-Time Coaching Activity Reports
• Risk Report for Endpoint Security Vendors
• Risk Report for Email Security Vendors
• Risk Report for Web Security Vendors
• Vendor Events Report

Every report, except for the Vendor Events Report, displays data and activity over the last 90 days by default. You can adjust the report view to reflect a different date range by using the drop-down menu at the top-right corner of the specific report.

The Vendor Events Report displays up to 10,000 of the most recent events that occurred over the last 30 days. You can adjust the date range for this report up to the last 30 days using the Date Range drop-down menu.

For more information about SecurityCoach reports, see our SecurityCoach Reporting Overview.