SecurityCoach is an add-on product for the KnowBe4 console available for our Platinum and Diamond customers to purchase. SecurityCoach can be used to coach your users about risky activity in real time using SecurityTips. You can customize your coaching experience by integrating your vendors, reviewing your detection rules, setting up real-time coaching campaigns, and choosing specific SecurityTip graphics and notifications to send to your users.
Before you can begin monitoring risky activity and coaching your users in real time, you will need to set up SecurityCoach in your KSAT console. To set up SecurityCoach, you must configure your vendor integrations, set up a delivery method for your SecurityTips, review your rule detections, and create a real-time coaching campaign.
To learn more about setting up SecurityCoach, see the subsections below.
Configuring Security Vendor Integrations
First, you’ll need to set up your third-party vendor integrations on the Setup subtab of SecurityCoach. Once you set up a vendor integration, the vendor's data will be available on the SecurityCoach tab. You can use this data to begin monitoring for risky activities.
For more information about setting up vendor integrations in SecurityCoach, see our Vendor Integration Guides.
Adding a Delivery Method
Email is configured as a delivery method for SecurityCoach by default. However, we recommend setting up Slack, Microsoft Teams, or Google Chat as a delivery method to coach your users where they communicate most.
For more information on setting up delivery methods, see the SecurityCoach integration guides listed below:
- Microsoft Teams Integration Guide for SecurityCoach
- Slack Integration Guide for SecurityCoach
- Google Chat Integration Guide for SecurityCoach
Mapping Users
Mapping your users to identifiers, such as a hostname, helps link risky activity to specific users. User mapping is done automatically for email and web security vendors using the user email addresses set in the Users tab of your KSAT console. But, you may need to map additional identifiers for your endpoint security vendors. For example, you may need to map users to hostnames, usernames, or device IDs.
You can configure mapping rules to automatically map users for you, manually map users by uploading a CSV file, or use a combination of both methods. SecurityCoach also provides mapping recommendations for you to review.
For more information about mapping users, see our Mapping Users in SecurityCoach article.
Reviewing Rule Detections
SecurityCoach provides system detection rules for each security vendor. Detection rules identify what risky activity you would like to track using the data provided by your integrated vendors. These detection rules are enabled automatically, but you can also create custom detection rules if needed.
We recommend reviewing your top detection rules so that you prioritize what risky activities to target with your real-time coaching campaigns. To review your top detection rules, navigate to the Reports subtab of SecurityCoach and click View Report for the Detection Rules Report. For more information, see our SecurityCoach Reporting Overview article.
To view all your detection rules, navigate to the Detection Rules subtab of SecurityCoach. For more information about detection rules, see our Creating and Managing Detection Rules article.
Creating a Test Mode Campaign
Now, you can create a test mode campaign to allow you to see how your real-time coaching campaign will perform before you begin coaching your users.
To create a test mode campaign, navigate to the Real-Time Coaching subtab of SecurityCoach. For more information, see our Working with Test Mode Campaigns article.
Creating a Real-Time Coaching Campaign
Finally, you can create a real-time coaching campaign. Real-time coaching campaigns send SecurityTips to users when risky activity is detected. SecurityTips can be sent through Slack, Microsoft Teams, Google Chat, or email.
To create a real-time coaching campaign, navigate to the Real-Time Coaching subtab of SecurityCoach. For more information, see our Creating and Managing Real-Time Coaching Campaigns article.
SecurityCoach Workflow
The SecurityCoach workflow involves both SecurityCoach and the third-party vendors that you integrated with your KSAT console. First, the third-party vendors that you integrated will monitor for risky activity on your users’ devices. Then, these vendors will share those events with SecurityCoach. SecurityCoach will process this information and determine whether the events match the criteria for any of your detection rules.
If an event matches a detection rule’s criteria, the detection rule is triggered, and the event is added to the responsible user’s events timeline. If the detection rule is part of a real-time coaching campaign, the user will also receive a SecurityTip.
Navigating Your SecurityCoach Product
The SecurityCoach tab of your KSAT console includes six subtabs:
You can navigate to these subtabs to view your SecurityCoach data, create real-time coaching campaigns, review detection rules, preview SecurityTips, and more. For more information about each of these subtabs, see the subsections below.
Dashboard
When you navigate to the SecurityCoach tab of your KSAT console, the Dashboard subtab will display automatically. On this subtab, you can read a quick overview of your SecurityCoach data, including charts and summaries.
During your initial setup, the dashboard will also display the SecurityCoach Setup section. This section guides you through the four steps to start your coaching program. After you create a real-time coaching campaign, this section will be replaced with your real-time coaching data.
For more information about the dashboard, see the screenshot and list below:
- Last 90 days: By default, your dashboard will display data and activity from the last 90 days. However, you can change this date range by clicking on the Last 90 days drop-down list and selecting a different date range.
- Notifications: 4 You can click the bell icon to view your SecurityCoach notifications.
- Real-Time Coaching Summary: This section displays data for your real-time coaching campaigns.
- SecurityTips Delivered: This section displays the total number of SecurityTips that have been sent to users.
- Users Coached: This section displays the percentage of users that received SecurityTips.
- Active Campaigns: This section displays the total number of active real-time coaching campaigns.
- Vendor Events Summary: This section displays data for your events.
- Total Events: This section displays the number of events from your integrated vendors.
- Users with Events: This section displays the number of users with events.
- Mapped Events: This section displays the number of events mapped to users. The percentage represents the number of your organization’s events that are mapped.
- Mapped Events: This section displays the number of your organization’s events that are mapped to a user. The percentage represents the number of your organization's events that are mapped.
- Unmapped Events: This section displays the number of your organization’s events that aren’t mapped to a user. The percentage represents the number of your organization's events that aren’t mapped.
- Top Detection Rules: This chart displays your 10 most common detections.
- Top Users by Rule Detections: This section displays the users with the most rule detections.
Detection Rules
You can create and manage detection rules on the Detection Rules subtab. Detection rules identify what risky activity you’d like to track from your integrated vendors. These detections will then appear on your users’ timelines. You can also create real-time coaching campaigns to send SecurityTips to users based on these rules.
For more information about creating and managing detection rules, see our Creating and Managing Detection Rules article.
Real-Time Coaching
You can create and manage real-time coaching campaigns and test mode campaigns on the Real-Time Coaching subtab. Real-time coaching campaigns can be used to send SecurityTips to users when risky activity is detected on their devices. SecurityTips can be sent through Slack, Microsoft Teams, Google Chat, or email.
For more information about setting up a real-time coaching campaign, see our Creating and Managing Real-Time Coaching Campaigns article.
You can create a test mode campaign to see how your real-time coaching campaign will perform before you begin coaching your users. For more information about setting up a test mode campaign, see our Working with Test Mode Campaigns article.
SecurityTips
The SecurityTips subtab displays the SecurityTip content and notification templates that you can use in your real-time coaching campaigns. SecurityTips can be used to coach your users about their risky activity and how to avoid that risky activity in the future.
You can use our SecurityTip content, or you can upload your own graphic. SecurityTips are localized based on the recipient's training language. For more information about custom graphics, see our How to Upload Custom SecurityTip Graphics article.
To learn more about the SecurityTips subtab, see the subsections below.
Content Catalog
Each specific SecurityTip content will have its own card on the Content Catalog page. Some SecurityTips are available as an image, GIF, or video. If the GIF format is available, a GIF icon will display on the card. If the video format is available, a video icon will display on the card. Cick the card to preview the SecurityTip content and see if you would like to share it with your users.
For more information about the Content Catalog page, see the screenshot below:
- Content Type filter: Click this drop-down menu to filter content by type.
-
Source filter: Click this drop-down menu to choose between System content and Custom uploaded content.
Note:Only custom images are currently supported for SecurityTips. - Topics filter: Click this drop-down menu to filter content by category.
- Languages filter: Click this drop-down menu to filter content by language.
- Search filter: Enter a keyword used in the content title to filter your results.
- Content Type: This label displays if the content is available in a graphic, GIF, or video format.
- Title: This label displays the title of the SecurityTip content.
- Language: This label displays the number of available languages for the SecurityTip content.
- Topic: This label displays the category for the SecurityTip content. We offer SecurityTip content for several categories, such as Malware, Social Media, and Ransomware.
- Create Campaign: Click this button to create a campaign using this SecurityTip content.
- + New SecurityTip: Click this button to create a custom SecurityTip.
Notification Templates
On the Notification Templates page, you can manage your notification templates and view the templates that we offer. For more information, see our How to Customize SecurityTip Notification Templates article.
Setup
On the Setup subtab, you can configure your vendor integrations, map your users, and set up a delivery method for your SecurityTips. The Setup subtab includes the three pages listed below:
- Security Integrations: On this page, you can view your active vendor integrations, set up new vendor integrations, and fix broken vendor integrations. For more information about vendor integrations, see our Vendor Integration Guides.
- User Mapping Setup: On this page, you can map your users, review mapping recommendations, and view reports related to user mapping. For more information about user mapping, see our Mapping Users in SecurityCoach article.
- Delivery Setup: On this page, you can set up and view your delivery methods for SecurityCoach. For more information about setting up delivery channels, see our Vendor Integration Guides.
Reports
The Reports subtab includes reports based on your SecurityCoach security risks, detection rules, and real-time coaching campaigns. The reports are listed below:
- Risk Report for All Security Vendors
- Risk Report for Endpoint Security Vendors
- Risk Report for Email Security Vendors
- Risk Report for Web Security Vendors
- Detection Rules Report
- Detection Rules Activity Reports
- Real-Time Coaching Report
- Real-Time Coaching Activity Reports
- Vendor Events Report
By default, each report except the Vendor Events Report displays data and activity over the last 90 days. However, you can adjust the report view to reflect a different date range using the drop-down menu at the top-right corner of the specific report.
The Vendor Events Report displays up to 10,000 of the most recent events that occurred over the last 30 days. You can adjust the date range for this report using the Date Range drop-down menu, but you cannot exceed 30 days.
For more information about SecurityCoach reports, see our SecurityCoach Reporting Overview article.