In SecurityCoach, you can map users to identifiers such as hostnames or usernames. Mapping users helps link risky activity detected by your integrated vendors to specific users.
Users are automatically mapped to their email addresses used in the KSAT console. Depending on your integrated vendors, you may also need to map users to other identifiers, such as their hostname or username. We recommend mapping users by configuring automated user mapping rules, uploading a CSV file to map users manually, or using both methods together. SecurityCoach also provides mapping recommendations for you to review.
To learn how to map users by configuring user mapping rules or uploading a CSV file, see the subsections below. For general information about SecurityCoach, see our SecurityCoach Product Manual.
Configuring User Mapping Rules
User mapping rules automatically map your users based on data from your integrated vendors and KSAT console. We offer a variety of system rules that are enabled by default, and you can also create your own custom rules.
To create and manage your user mapping rules, follow the steps below:
- Log in to your KSAT console.
- Navigate to SecurityCoach > Setup > User Mapping Setup.
- Select Configure User Mapping Rules.
The User Mapping Rules page includes the System Rules section and Custom Rules section. To learn more about these user mapping rules sections, see the article subsections below.
Custom User Mapping Rules
Use the Custom Rules section to create new custom user mapping rules and view your existing custom user mapping rules. To learn more about the Custom Rules section, see the screenshot and list below:
- +Create Custom Rule: Click this button to open the Create New Rule pop-up window and create a new custom rule. For more information, see the Creating a New Custom Rule section below.
- Toggle: Click this toggle to enable or disable an existing custom rule.
- Delete: Click the trashcan icon to delete an existing custom rule.
Creating a New Custom Rule
Create a new user mapping rule by selecting your criteria and clicking Create Rule. For more information on custom rule options, see the screenshot and list below:
-
Vendor criteria: Use this criteria to select the security vendors this rule should apply to.
Tip:When selecting a vendor, you can select No Vendor if the rule should apply to all vendors. - Identifier criteria: Use this criteria to select which security vendor identifier to map.
- Operator criteria: Use this criteria to select if the identifier is the same as or contains the matching KnowBe4 User Data Field.
- KnowBe4 User Data Field: Use this criteria to select the user data from KnowBe4 to map.
- Add Field: Use this button to add your selected criteria to the rule.
- Cancel: Use this button to cancel the creation of a new custom rule.
- Create Rule: Use this button to confirm your configuration and create the new custom rule.
System User Mapping Rules
Use the System Rules section to view our built-in system user mapping rules. To enable or disable a system rule, click the toggle to the left of the rule. To view our current System Rules, see the screenshot and table below:

Vendor | Vendor Identifier | Operator | KnowBe4 User Data Field |
---|---|---|---|
All Vendors | Hostname | is | Hostname |
All Vendors | Username | is | Email Alias |
All Vendors | User Email | is | Email Alias |
KSAT | Detection User ID | is | User ID |
All Vendors | Username | is | First Name ␣ Last Name |
All Vendors | Username | is | First Name ․ Last Name |
Uploading a User Mapping CSV File
To map your users using a CSV file, you must first prepare the CSV file for import. We offer a CSV file template, or you can prepare a custom CSV file:
- To prepare a CSV file for import using our downloadable template, log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup > User Mapping CSV in your KSAT console. Then, click the Example CSV link to download the template.
- To prepare a custom CSV file for import, see the required and optional CSV file fields in the User Mapping CSV File Fields section of this article.
Important:The email addresses in your CSV file must exist on the Users tab of your KSAT console. If you would like to include a user whose email address isn’t on the Users tab, you will need to add that user to your console before uploading a CSV file.
Once you have prepared a CSV file for import, follow the steps below to import the CSV file and map your users:
To map your users with a CSV file, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- Click User Mapping CSV to open the Upload a CSV File page.
- Click Browse and select your CSV file.
- Click Upload CSV.
User Mapping CSV File Fields
To map your users with a custom CSV file, fill out the file with information about your users. For more information about the fields available in the file, see the table below:
CSV File Field | Description |
---|---|
In this field, enter the user’s work email address. This field is required. | |
Hostname | In this field, enter the user’s hostname. This field is optional, but both the Hostname and Username fields cannot be empty. |
Username | In this field, enter the user’s username. This field is optional, but both the Hostname and Username fields cannot be empty. |
Using the Unmapped Vendor Data Report
The Unmapped Vendor Data Report displays unmapped event and unmapped identifier data from your vendors. These are events and identifiers from your integrated vendors that are not currently mapped to a user in your KSAT console. You can use this information to map new users or update the mapping for existing users, then rerun user mapping to map the events to users.
To use the Unmapped Vendor Data Report to display unmapped events or unmapped identifiers, see the subsections below.
Unmapped Events Report Type
To view the Unmapped Events report type in your Unmapped Vendor Data Report, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- In the Reports section, click Unmapped Vendor Data Report.
- From the Report Type filter, select Unmapped Events. For more information about the Unmapped Events report type, see the screenshot and list below:
-
Report Type: Use this filter to select between displaying Unmapped Events data or Unmapped Identifiers data.
-
Vendor: Use this filter to select one or more vendors to display event data for.
-
Date Range: Use this filter to select the date range to display data for.
-
View Report: Click this button to generate report data from your selected criteria.
-
Generate CSV: Click this button to generate a CSV file of the report.
-
Add or Remove Columns: Use this dropdown to customize which columns are displayed in the table.
-
Rerun Event Mapping: Click this button to rerun user mapping and map the events to users.
Tip:We recommend mapping additional users before clicking this button. -
View Event Mapping Reruns: Click this button to view your history of user mapping reruns.
-
Unmapped Identifiers Report Type
To view the Unmapped Identifiers report type in your Unmapped Vendor Data Report, see the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- In the Reports section, click Unmapped Vendor Data Report.
- From the Report Type filter, select Unmapped Idenfitifers. For more information about the Unmapped Identifiers report type, see the screenshot and list below:
-
Report Type: Use this filter to select between displaying Unmapped Events data or Unmapped Identifiers data.
-
Vendor: Use this filter to select one or more vendors to display event data for.
-
Date Range: Use this filter to select the date range to display data for.
-
View Report: Click this button to generate report data from your selected criteria.
-
Generate CSV: Click this button to generate a CSV file of the report.
-
Add or Remove Columns: Use this dropdown to customize which columns are displayed in the table.
-
Rerun Event Mapping: Click this button to rerun user mapping and map the events to users.
Tip:We recommend mapping additional users before clicking this button. -
View Event Mapping Reruns: Click this button to view your history of user mapping reruns.
-
Once you have generated the Unmapped Identifiers report type data, you can also connect these identifiers to your users. To connect unmapped vendor identifiers to your KSAT users from the Unmapped Identifiers report type page, see the steps below:
- Under the Identifier table column, navigate to the identifier you wish to map and click + Connect User Email under the identifier.
- A Create User Alias pop-up window will open. From this pop-up window, use the KSAT Email Address field to search for the KSAT user you wish to connect to the vendor identifier.
Tip:Click the arrow on the right side of the KSAT Email Address field to open a drop-down menu containing all your users. You can then scroll down and select a user from this list. - Click OK to confirm.
Mapping Recommendations
SecurityCoach makes recommendations for mapping your KSAT users to various identifiers. To view your recommendations, use the Automatic Device Discovery feature, our user mapping recommendations, and the Discovered Users Report.
For more information about these recommendation options, see the subsections below.
Automatic Device Discovery
The Automatic Device Discovery feature automatically maps users to devices using the data from your integrated vendors. You can then review these mappings on the User Mapping View page.
To enable the Automatic Device Discovery feature, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- Enable Automatic Device Discovery by clicking the toggle on the right side of the page.
User Mapping Recommendations
Our user mapping recommendations help map your users to various identifiers. You can accept or reject these recommendations.
To review your user mapping recommendations, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- From the menu on the left side of the page, select User Mapping Setup.
- Click User Mapping Recommendations. For more information about your user recommendations, see below:
- Search: Use this search bar to filter the list by first name, last name, or email.
- + Filters: Click this button to filter the list of recommended mappings by Active Users, Archived Users, or Confidence Score.
- Approve Selected: Click this button to approve the selected mappings in the table.
- Reject Mapping: Click this button to reject the selected mappings in the table.
-
User Mapping Recommendations table: This table lists mapping recommendations by Confidence Score. The Confidence Score is a number between 0 and 100 with higher scores indicating a greater confidence that the match is correct. For each recommendation, you can see the email, first name, last name, status, and Confidence Score of the email being recommended to be mapped to the alias.
Note:An alias may have more than one recommendation available.
Discovered Users Report
The Discovered Users Report displays users who may not have been created in your KSAT console, based on data from your integrated vendors. This report is enabled by default.
To view the Discovered Users Report, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- Click Discovered Users.
Viewing Your Mapped Users
Once you have mapped your users, you can view your mappings at any time. To view your user mappings, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > User Mapping Setup.
- Click the Review Mapped Users button. For more information about the fields on this page, see the screenshot and list below:
- Search: Use this search bar to filter the user list by keyword..
- Show/Hide Columns: Click the gear icon to show or hide columns in the table.
- This table displays your current user mappings.
-
Edit: Click this pencil icon to open the Mapped User pop-up window. This pop-up window is used to add, remove, and edit existing mappings for the user.