What Is SecurityCoach?

SecurityCoach is an add-on product for the KnowBe4 console available for our Platinum and Diamond customers to purchase. SecurityCoach can be used to coach your users about risky activity in real time using SecurityTips. You can customize your coaching experience by integrating your vendors, reviewing your detection rules, setting up real-time coaching campaigns, and choosing specific SecurityTip graphics and notifications to send to your users.

To learn more about SecurityCoach, click the links below.

Jump to:

SecurityCoach Setup

Configuring Security Vendor Integrations
Mapping Users
Reviewing Detection Rules
Setting Up a Delivery Method
Creating a Real-Time Coaching Campaign

SecurityCoach Workflow
Navigating Your SecurityCoach Product

Dashboard
Detection Rules
Real-Time Coaching
SecurityTips

Graphics
Notification Templates

Setup
Reports

SecurityCoach Setup

Before you can begin monitoring risky activity on your users’ devices and coaching your users in real time, you will need to set up SecurityCoach in your KMSAT console. To set up SecurityCoach, you must configure your vendor integrations, map your users, manage your detection rules, set up a delivery method for your SecurityTips, and create a real-time coaching campaign.

To learn more about setting up SecurityCoach, see the subsections below.

Configuring Security Vendor Integrations

First, you’ll need to set up your third-party vendor integrations on the Setup subtab of SecurityCoach. Once you set up a vendor integration, the vendor's data will be available on the SecurityCoach tab. You can view this data in SecurityCoach reports and use it to create real-time coaching campaigns.

For more information about setting up vendor integrations in SecurityCoach, see our Vendor Integration Guides.

Mapping Users

After you’ve set up your vendor integrations, you’ll need to map your users to identifiers. Mapping your users helps link risky activity to specific users.

You can manually map your users, configure mapping rules to automatically map users for you, or use a combination of both methods. SecurityCoach also provides mapping recommendations for you to review.

For more information about mapping users, see our Mapping Users in SecurityCoach article.

Reviewing Detection Rules

After you set up a vendor integration, you can review the detection rules for that vendor. Detection rules specify what risky activity you want to track using the data provided by your integrated vendors. SecurityCoach provides built-in detection rules for each security vendor that are enabled by default, but you can also create custom detection rules. You can then create real-time coaching campaigns using the detection rules to coach your users in real time.

To review your detection rules, navigate to the Detection Rules subtab of SecurityCoach or click Review Detection Rules on the vendor’s setup page. For more information about detection rules, see our Creating and Managing Detection Rules article.

Setting Up a Delivery Method

You’ll need to set up a delivery method to send SecurityTips to your users. You can choose to deliver SecurityTips through Slack or Microsoft Teams. You can also choose to use email if your primary delivery method is unsuccessful.

Note: Email is automatically configured for SecurityCoach. However, you can choose whether to send SecurityTips by email when creating a real-time coaching campaign. SecurityTips will be sent to the user email addresses set in the Users tab of your KMSAT console.

For more information about delivering notifications through Microsoft Teams or Slack, see the SecurityCoach integration guides listed below:

Creating a Real-Time Coaching Campaign

Finally, you’ll set up your real-time coaching campaigns. Real-time coaching campaigns can be used to send SecurityTips to users when risky activity is detected on their devices. SecurityTips can be sent through Slack, Microsoft Teams, or email.

To create a real-time coaching campaign, navigate to the Real-Time Coaching subtab of SecurityCoach. For more information about setting up real-time coaching campaigns, see our Creating and Managing Real-Time Coaching Campaigns article.

SecurityCoach Workflow

The SecurityCoach workflow involves both SecurityCoach and the third-party vendors that you integrated with your KMSAT console. First, the third-party vendors that you integrated will monitor for risky activity on your users’ devices. Then, these vendors will share those events with SecurityCoach. SecurityCoach will process this information and determine whether the events match the criteria for any of your detection rules.

If an event matches a detection rule’s criteria, the detection rule is triggered, and the event is added to the responsible user’s events timeline. If the detection rule is part of a real-time coaching campaign, the user will also receive a SecurityTip.

Navigating Your SecurityCoach Product

The SecurityCoach tab of your KMSAT console includes six subtabs:

Dashboard
Detection Rules
Real-Time Coaching
SecurityTips
Setup
Reports

You can navigate to these subtabs to view your SecurityCoach data, create real-time coaching campaigns, review detection rules, preview SecurityTips, and more. For more information about each of these subtabs, see the subsections below.

Dashboard

When you navigate to the SecurityCoach tab of your KMSAT console, the Dashboard subtab will display automatically. On this subtab, you can view a quick overview of your SecurityCoach data, including charts and summaries. For more information about each chart and the data it displays, see below:

Last 90 days: By default, your dashboard will display data and activity from the last 90 days. However, you can change this date range by clicking on the Last 90 days drop-down list and selecting a different date range.
Notifications (): You can click the bell icon to view your SecurityCoach notifications.
Real-Time Coaching Summary: This section displays data for your real-time coaching campaigns.
Coached Users: This section displays the percentage of users that received SecurityTips.
SecurityTips Delivered: This section displays the total number of SecurityTips that have been sent to users.
Active Real-Time Coaching Campaigns: This section displays the total number of active real-time coaching campaigns.
SecurityTips Delivered Over Time: This line graph displays the number of SecurityTips sent during the selected date range.
Vendor Events Summary: This section displays data for your events.
Total Events: This section displays the number of events from your integrated vendors.
Mapped Events: This section displays the number of events mapped to users. The percentage represents the number of your organization’s events that are mapped.
Users with Events: This section displays the number of users with events.
Unmapped Events: This section displays the number of your organization’s events that aren’t mapped to a user. The percentage represents the number of your organization's events that aren’t mapped.
Detection Rules Summary: This section displays data for your detection rules.
Total Available Detection Rules: This section displays the number of detection rules available for your active vendor integrations.
Enabled Detection Rules: This section displays the number of enabled detection rules.
Users with Rule Detections: This section displays the number of users with detections for your enabled rules during the selected date range.
Rule Detections: This section displays the number of detections for all of your rules.

Detection Rules

You can create and manage detection rules on the Detection Rules subtab. Detection rules identify what risky activity you’d like to track from your integrated vendors. These detections will then appear on your users’ timelines. You can also create real-time coaching campaigns to send SecurityTips to users based on these rules.

For more information about creating and managing detection rules, see our Creating and Managing Detection Rules article.

Real-Time Coaching

You can create and manage real-time coaching campaigns on the Real-Time Coaching subtab. Real-time coaching campaigns can be used to send SecurityTips to users when risky activity is detected on their devices. SecurityTips can be sent through Slack, Microsoft Teams, or email.

For more information about setting up a real-time coaching campaign, see our Creating and Managing Real-Time Coaching Campaigns article.

SecurityTips

The SecurityTips subtab displays the SecurityTip graphics and notification templates that you can use in your real-time coaching campaigns. SecurityTips can be used to coach your users about their risky activity and how to avoid that risky activity in the future.

You can use our SecurityTip graphics, or you can upload your own. For more information about custom graphics, see our How to Upload Custom SecurityTip Graphics article.

To learn more about the SecurityTips subtab, see the subsections below.

Graphics

Each specific SecurityTip graphic will have its own card on the Graphics page. Some SecurityTips are available as both an image and a GIF. If the GIF format is available, a GIF icon will display on the card. You can click the card to preview the SecurityTip graphic to see if you would like to share it with your users.

Note: When a localized version is available, SecurityTip graphics display in the user’s training language.

For more information about the Graphics page, see below:

Topics: Click this drop-down menu to filter content by category.
Search: Enter a keyword used in the content title to filter your results.
Topic: This label displays the category for the SecurityTip graphic. We offer SecurityTip graphics for several different categories such as Malware, Social Media, and Ransomware.
Title: This section of the card displays the title of the SecurityTip.
Language: This section of the card displays the title of the SecurityTip graphic.
Details: Click this button to preview or edit a custom SecurityTip graphic.
Create Campaign: Click this button to create a campaign using this SecurityTip graphic.

Notification Templates

On the Notification Templates page, you can manage your notification templates and view the templates that we offer. For more information, see our How to Customize SecurityTip Notification Templates article.

Setup

On the Setup subtab, you can configure your vendor integrations, map your users, and set up a delivery method for your SecurityTips. The Setup subtab includes the three pages listed below:

Security Integrations: On this page, you can view your active vendor integrations, set up new vendor integrations, and fix broken vendor integrations. For more information about vendor integrations, see our Vendor Integration Guides.
User Mapping Setup: On this page, you can map your users, review mapping recommendations, and view reports related to user mapping. For more information about user mapping, see our Mapping Users in SecurityCoach article.
Delivery Setup: On this page, you can set up and view your delivery methods for SecurityCoach. For more information about setting up delivery channels, see our Vendor Integration Guides.

Reports

The Reports subtab includes reports based on your SecurityCoach security risks, detection rules, and real-time coaching campaigns. The reports are listed below:

Risk Report for All Security Vendors
Risk Report for Endpoint Security Vendors
Risk Report for Email Security Vendors
Risk Report for Web Security Vendors
Detection Rules Report
Real-Time Coaching Report
Vendor Events Report

Click the View Report button on the report you want to display. By default, each report except the Vendor Events Report displays data and activity over the last 90 days. However, you can adjust the report view to reflect a different date range using the drop-down menu at the top-right corner of the specific report.

The Vendor Events Report displays up to 10,000 of the most recent events that occurred over the last 30 days. You can adjust the date range for this report using the Date Range drop-down menu, but you cannot exceed 30 days.

For more information about SecurityCoach reports, see our SecurityCoach Reporting Overview article.

SecurityCoach Product Manual

What Is SecurityCoach?