Smart Groups

Share

Is this article helpful?

Last updated:

Smart Groups Glossary of Criteria Types

If you’re a Platinum or Diamond customer, you can use our Smart Groups feature to create dynamic user groups based on a custom set of criteria. By creating Smart Groups, you can automate phishing, training, and reporting processes in your KSAT console.

If you’ve never created a Smart Group, we recommend starting with our What Are Smart Groups? article to learn what Smart Groups are and how you can use them. You can also view our Smart Groups Quickstart Guide to learn how to create Smart Groups.

In this glossary, you will learn about the available Smart Group criteria types and how you can use them to automate processes in your KSAT console.

Criteria Options

Some Smart Group criteria types also include criteria options. We offer two types of criteria options: Time Frame options and Phish Event options. These options allow you to further customize your Smart Groups to meet your organization’s needs.

To learn about each of these options, see the Time Frame Options and Phish Event Options subsections below.

Time Frame Options

The Range, Duration, and Any criteria types also include Time Frame options.

The Range option is best for Smart Groups that depend on a specific period of time. For example, to create a Smart Group of all users who have failed a phishing test from 1/1/2022 to 4/1/2022, you could use the Range criteria option.

The Duration option is best for Smart Groups that should change continuously over time. For example, if you would like to create a group of users who have failed a phishing test in the past month, you could set a Duration of In the last 4 weeks instead of setting a specific date range. This option will allow your Smart Group to stay accurate over time.

The Any option is best for Smart Groups that do not depend on a specific time frame. For example, if you create a Smart Group to automatically assign annual training to your users, you could set a time frame of Any. In this example, new hires would be added to the Smart Group as you add them to your KSAT console, and existing users would not be removed from the group over time.

To learn how to set up each Time Frame Option, click the tabs below:

Range

Click the Range option to only use information from a specific date range. You can use this option to set three types of date ranges:

  • Specific start and end dates
  • On or after a specific date
  • On or before a specific date

For more information on these options, see the table below.

Specific Start and End Dates

To set a specific start and end date, follow the steps below:

  1. Click the first calendar icon and select your desired start date.
  2. Click the second calendar icon and select the day after your desired end date.
Note: The KSAT console calculates date ranges in UTC (-00:00). We recommend adding one day to the end of your desired end date to account for any time zone differences. For example, if you would like to create a Smart Group of users who failed phishing tests between 7/21/2022 and 7/31/2022, set the date range as 7/21/2022 to 8/01/2022.

On or After a Specific Date

To specify your criteria by events that occurred on or after a specific date, click the first calendar icon and select your desired start date. Leave the second date field blank.

On or Before a Specific Date

To specify your criteria by events that occurred on or before a certain date, click the second calendar icon and select your desired end date. Leave the first date field blank.

Duration

Click the Duration option to specify your criteria using relative duration. You can choose either Prior to the last or In the last. Then, you can choose a specific number of days, weeks, or months.

To set a duration, follow the steps below:

  1. From the drop-down menu below the Duration button, select Prior to the last or In the last.
  2. In the second field, set the number for the duration. You can enter a number into the field or click the plus and minus buttons to change the number.
  3. From the second drop-down menu, select a unit of time. You can choose Days, Weeks, or Months.

Any

Click the Any option to include any time since you created your KnowBe4 account, including future events. The Smart Group will update continuously as time passes.

Phish Event Options

The Phish Event, PhishFlip Event, and After Training criteria types require you to select a Phish Event option. A phish event is what happens when a user receives a Phishing Security Test (PST).

Each email sent in a phishing campaign is a PST. If a user interacts with the email in an unsafe way, that action is considered a failure and the user fails the test. Phishing campaigns can test multiple attack vectors, so a user could have multiple failures from one failed PST. For example, if a user clicks on a simulated phishing link and enters data on a landing page in the same PST, the user will have two failures but only fail one PST. You can use the Phish Event criteria type to filter by either one of these metrics.

You can use the Phish Event options to filter by specific types of failures in your Smart Group. For more information about the Phish Event options, see the table below.

Phish Event Option Function
Failed Phishing Test This option counts the number of PSTs that a user failed.
Passed Phishing Test This option counts the number of PSTs that a user has received and not failed.
Any Failures This option counts the number of failures that a user has had, including failures from callback phishing or QR code phishing.
Any Failures But Clicks This option counts the number of failures that a user has had, excluding failures where the user clicked on a simulated phishing link.
Clicked This option counts the number of simulated phishing links a user has clicked.
Replied This option counts the number of times a user has replied to a PST.
Opened Attachment This option counts the number of times a user has opened an attachment from a PST.
Enabled macro This option counts the number of times a user has enabled macros in an attachment from a PST.
Entered data This option counts the number of times a user has entered information on a data-entry landing page that was linked in a PST.
Scanned QR Code This option counts the number of times a user has failed a QR Code PST.
Callback This option counts the number of times a user has entered the callback code in a callback phishing email.
Callback Entered Data This option counts the number of times a user has entered the secondary callback code in a callback phishing email.
Reported

This option counts the number of times a user reported a PST using the Phish Alert Button (PAB).

This option includes all users who reported the PST, even if they failed the test before or after reporting it.
Delivered This option counts the number of times a user has received a PST.
Bounced

This option counts the number of times a user was sent a PST but did not receive it.

You can view the reason for the bounced email in the Users tab of an individual campaign. For more information, see our How to Monitor and Review Phishing Campaigns article.
Opened This option counts the number of PSTs opened by a user, regardless of whether the user failed the test.

User Criteria

You can use our User Field and User Date criteria types to customize your Smart Groups based on specific user details.

To learn about each of these options, see the User Field and User Date subsections below.

User Field Criteria

The User Field criteria type filters users based on the fields in their User Information tab. This criteria type includes fields from your KSAT console, such as Job Title and Location.

You can also include a Custom Field to meet your organization’s needs. For example, if your organization has offices in multiple countries, you can add each country to a Custom Field. Then, you can include this Custom Field in your User Field criterion to group users by country. You can create Smart Groups to assign specific phishing or training to users based on the country where their office is located.

For more information about each User Field option, see below:

  1. User Field: Select the field that you would like to filter by. You can choose from several options, such as First Name, Location, Group Name, and Job Title.
  2. Condition: Select Must or Must Not.
  3. Comparison: Select a comparison filter, such as Equal or Starts With. Values: In the field, enter the specific value that you would like to filter by. For example, enter “Southwest" for location or “20" for Phish-prone Percentage. You can also leave this field blank if you don’t have a specific value you want to filter by. This field is not case sensitive.

The example screenshot above would create a finished criterion that states:

User Field The Phish-prone Percentage must be greater than 50.

User Date Criteria

The User Date criteria type filters by user-specific dates. For more information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Date Type: Select a date type, such as Created, Last Login, or Employee Start Date. You can also set your own custom fields.
  3. Time Frame: For more information about this option, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

User Date User must have been created from 01/01/2022 through 05/01/2022.

Event Criteria

You can use our Event Criteria types to customize your Smart Groups based on your users’ actions.

To learn about each of these options, see the Phish Event, PhishFlip Event, Breach Event, PasswordIQ Event, PasswordIQ State, and Custom Event subsections below.

Phish Event Criteria

The Phish Event criteria type filters users based on their actions with simulated phishing tests. For information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Phish Event: For more information, see the Phish Event Options section of this article.
  3. Comparison: Select Equal, Greater than, or Less than.
  4. Count: Set a count for this criterion. You can either enter a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

Phish Event User must not have had enabled a macro more than 1 times.

PhishFlip Event Criteria

The PhishFlip Event criteria type filters users based on their actions with simulated phishing tests from a PhishFlip campaign. This criteria type is only available if you’re using our PhishER and PhishFlip features. For more information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. PhishFlip Event: For more information, see the Phish Event Options section of this article.
  3. Comparison: Select Equal, Greater than, or Less than.
  4. Count: Set a count for this criterion. You can either enter a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

PhishFlip Event User must not have clicked on a flipped phishing email more than 1 times.

Breach Event Criteria

The Breach Event criteria type filters users based on whether they have been involved in a data breach.

When an Email Exposure Check Pro (EEC Pro) scan finds that a user has been involved in a data breach, this event will be automatically added to the user’s User Timeline. For more information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Breach Event: Select Security Breach. This option is the only option and includes all reported data breaches.
  3. Comparison: Select Equal, Greater than, or Less than.
  4. Count: Set a count for this criterion. You can either enter a number into the field or click the plus and minus buttons to change the value.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

Breach Event User must have been in a security breach more than 1 time.

PasswordIQ Event Criteria

The PasswordIQ Event criteria type filters users based on their password vulnerability detection status. For information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. PasswordIQ Event: Select Any Status Change, Status Change, or Initial Scan. For more information about these options, see below:
    • Any Status Change: This option finds all users for the detection status, regardless of whether they were detected or not detected.
    • Status Change: This option finds only users who match the detection status specified.
    • Initial Scan: This option finds users in the first scan you run after installing PasswordIQ to assess your Active Directory for password vulnerabilities. This initial scan is crucial for establishing a baseline of password issues in your organization.
  3. Vulnerability: For more information, read the PasswordIQ Dashboard Guide.
  4. Detection Status: Select Detected or Not Detected.
  5. Matcher: Select Equal, Greater than, or Less than.
  6. Count: Set a count for this criterion. You can enter a number into the field or select the plus and minus buttons to change the value.
  7. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

PasswordIQ Event User must have an event for Status Change in a detected state for Weak Password detection(s) more than 1 times.

PasswordIQ State Criteria

The PasswordIQ State criteria type filters users based on whether their password was detected to have a vulnerability. For information about each option, see below:

  1. Vulnerability: For more information, read the PasswordIQ Dashboard Guide.
  2. Detection Status: Select Detected or Not Detected.

The example screenshot above would create a finished criterion that states:

PasswordIQ State User has any vulnerability in a detected state.

Custom Event Criteria

The Custom Event criteria type filters users based on external user data imported into your KSAT console using the User Event API.

Note: The Custom Event criteria type will not become available until you import custom events into your KSAT console.

For more information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Event Type: Select the event type that you created using the User Event API.
  3. Event Source (optional): Select a specific source previously created for this event.
  4. Event External ID (optional): Select the specific external ID previously created for this event.
  5. Description (optional): Enter the word or phrase within the description of the custom event. This option is not case sensitive.
  6. Matcher: Select Equal, Greater than, or Less than.
  7. Count: Set a count for this criterion. You can enter a number into the field or click the plus and minus buttons to change the value.
  8. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

Custom Event User must have the specified Example Event more than 3 times.

Training and Assessment Criteria

Our Training, After Training, and Assessment criteria types allow you to customize your Smart Groups based on the courses and assessments your users have taken.

To learn about each of these options, see the Training, After Training, SecurityCoach Detection Rules, SecurityCoach Real-Time Coaching, and Assessment subsections below.

Training Criteria

The Training criteria type filters users based on their involvement in training campaigns. For information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Training Event: Select Enrolled, Started, or Completed. For more information about these options, see below:
    • Enrolled: This option finds users who have been assigned training content. Depending on the Scope option you choose in step 3, this can refer to a specific training module, a specific training campaign, or all available training assignments.
    • Started: This option finds users who have partially completed a piece of training content. If a user opens the content but does not start working on it, this also counts as starting a training module.
    • Completed: This option filters users who have fully finished a piece of training content.
  3. Scope: Select Any Selected, All Selected, or Any Available. For more information about these options, see below:
    • Any Selected: This option lets you choose one or more training modules from your Library. To join the Smart Group, users must have interacted with at least one of the modules you choose. You can use this option for detailed reports on your users’ progress in specific modules.
    • All Selected: This option lets you choose one or more training modules from your Library. To join the Smart Group, users must have interacted with all of the content you choose. This option is ideal for tracking your users’ progress in a specific training campaign that includes multiple courses.
    • Any Available: This option includes all assignments available to your users. This option works well for tracking your users’ overall training progress.
  4. Assignments: Select one or more training assignments. You can enter the assignment name in the field or select the assignment from the drop-down menu. If you selected Any Available for the Scope, you will not see this field. For more information about adding training assignments to your library, see our ModStore and Library Guide.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

Training User must have started all of these 2 assignments in the last 2 months.
Important: If you have enabled Optional Learning for your organization, users could enroll themselves in or complete the training content selected for this criteria. This scenario is unlikely, but these actions could impact whether the user is added to the Smart Group.

After Training Criteria

The After Training criteria type filters users based on their actions with simulated phishing tests after they complete training assignments. For more information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Phish Event: For more information, see the Phish Event Options section of this article.
  3. Training Event: Select Enrolled, Started, or Completed.
  4. Assignments: Select one or more training assignments. You can enter the assignment name in the field or select the assignment from the drop-down menu. If you selected Any Available for the Scope, you will not see this field. For more information about adding training assignments to your library, see our ModStore and Library Guide.

The example screenshot above would create a finished criterion that states:

After Training User must have reported a phishing email after completing Using the Phish Alert Button: Report Suspicious Emails.

SecurityCoach Detection Rules Criteria

The SecurityCoach Detection Rules criteria type identifies user behavior based on data from integrated security vendors and KnowBe4. For information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Detection Rules: For more information, see the Detection Rules Guide and System Detection Rules by Vendor article.
  3. Comparison: Select Equal, Greater Than, or Less Than.
  4. Count: Set a count for this criterion. You can enter a number into the field or select the plus and minus buttons to change the value.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

SecurityCoach Detection Rules User must have triggered 1 detection rules more than 1 times.

SecurityCoach Real-Time Coaching Criteria

The SecurityCoach Real-Time Coaching criteria type identifies users enrolled in SecurityCoach real-time coaching campaigns. For information about each option, see below:

  1. Condition: Select Must or Must Not.
  2. Real-Time Coaching Campaigns: Select one of your real-time coaching campaigns, which can be customized. For more information, see the Working with Real-Time Coaching Campaigns article.
  3. Comparison: Select Equal, Greater Than, or Less Than.
  4. Count of Coaching Notifications Delivered: Set a count for this criterion. You can enter a number into the field or select the plus and minus buttons to change the value.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

SecurityCoach Real-Time Coaching User must have been sent more than 1 SecurityTip for the 1 selected campaign.

Assessment Criteria

The Assessment criteria type filters users based on their Security Awareness Proficiency Assessment (SAPA) scores. For more information, see below:

  1. Condition: Select Must or Must Not.
  2. Scope: Select Any Selected, All Selected, or Entire Assessment. The Entire Assessment option includes all the SAPA Knowledge Areas. If you select this option, the Knowledge Areas field will not be visible.
  3. Knowledge Areas: Select one or more options.
  4. Comparison: Select Equal, Greater than, or Less than.
  5. Score: Set your desired proficiency score. You can enter a number into the field or click the plus and minus buttons to change the value.

  6. Time Frame: For more information, see the Time Frame Options section of this article.

    Note: The Assessments criteria type has an additional time frame option: Most Recent. If you select the Most Recent option, only the latest completed assessment score will be included in the criterion.

The example screenshot above would create a finished criterion that states:

Assessment User must have scored more than 80% in Social Media in the latest completed.

SmartRisk Engine Criteria

You can use our SmartRisk Engine criteria to filter users based on Risk Score or security types, which are two different criteria with different capabilities. To learn about each of these options, see the Risk Score Criteria and Security Type Criteria subsections below.

Risk Score Criteria

The Risk Score criteria allow you to filter users by their Risk Scores. For more information about each option, see below:

Replace this with your alt text 
  1. Score Type: Select Risk Score out of the two options, Risk Score and Security Type.
  2. Condition: Select Must or Must Not.
  3. Comparison: Select Equal, Greater Than, Less Than, Increase By, or Decrease By.
  4. Value: In the field, enter the numerical value that you would like to filter by. To change the value, you can either enter a number into the field or hover your mouse over the field and click the up and down arrows.
  5. Time Frame: For more information, see the Time Frame Options section of this article.

The example screenshot above would create a finished criterion that states:

SmartRisk Engine The Risk Score must increase by 2 on or after 09/01/2025.

Security Type Criteria

The Security Type criteria allow you to filter users by their security type scores. For more information about each option, see below:

Replace this with your alt text 
  1. Score Type: Select Security Type out of the two options, Risk Score and Security Type.
  2. Security Type: Select a security type from Data Security, Web Security, Email Security, Account Hygiene, Compliance Electives, Physical Security, and Endpoint Security.
  3. Condition: Select Must or Must Not.
  4. Comparison: Select Equal, Greater Than, or Less Than.
  5. Value: In the field, enter the numerical value that you would like to filter by. To change the value, you can either enter a number into the field or hover your mouse over the field and click the up and down arrows.

The example screenshot above would create a finished criterion that states:

SmartRisk Engine The data security type score must be equal to 5.

Was this article helpful?

7 out of 7 found this helpful

Can't find what you're looking for?

Contact Support