Knowbe4 to Splunk
How to Ingest Knowbe4 Data to Splunk using HEC Tokens
KnowBe4, as a leading provider of security awareness training and simulated phishing campaigns, offers invaluable insights into an organization’s security posture. By integrating KnowBe4 data into Splunk, organizations can leverage the power of advanced analytics and real-time monitoring to detect, investigate, and respond to potential security threats promptly.
Getting PhishER data into Splunk using the HTTP Event Collector
- Navigate to your settings in Splunk and choose Data inputs.
- Choose HTTP Event Collector
- You will see the following Screen
- Click “New Token” button at the top right and add a name in this case, knowbe4 and then click next
- Choose Automatic (this can be changed later if necessary) and click next
- Be sure to choose your default Index (the index you want the data to go to)
- Click Submit
You will get a Token successfully created message
Sending the Data from Knowbe4
- Navigate to your Account settings > Account Integrations > Webhooks
- Click on the Create button
- Change the Name to your desired webhook name
- Knowbe4 uses RAW data when sending a HEC token. Splunk uses the following URL be sure to change the Splunk instance to your Splunk location
https://http-inputs-my-splunk-instance.splunkcloud.com/services/collector/raw
- The Authentication is a Bearer Token add your HEC token from Splunk here (redacted in the image below)
Setting up the Headers
For the custom headers you will type in the input boxes Authorization as the key and Splunk <tokenhere> as the value. It is important to be sure that the A in Authorization is capitalized and the S in Splunk is capitalized. There needs to be a space between Splunk and the token value as well.
KEY = Authorization VALUE = Splunk YOUR_TOKEN
- Choose the events you want to collect and save the webhook
Data is organized as show in the image below. You can now parse the information you want and build out a dashboard with the needed data.
Here is an example of a filter for a dashboard that shows the users who have started or completed the training
Conclusion
Knowbe4 to Splunk integration enables security teams to gain a comprehensive understanding of user behavior, phishing susceptibility, and training effectiveness, allowing them to identify vulnerabilities, prioritize remediation efforts, and enhance their overall security strategy. The combination of KnowBe4’s rich training and phishing data with Splunk’s robust data analysis capabilities empowers organizations to proactively strengthen their security defenses, mitigate risks, and protect sensitive information from ever-evolving cyber threats. Ultimately, the collection of KnowBe4 data in Splunk serves as a critical step towards building a resilient cybersecurity framework that promotes a culture of security awareness and empowers organizations to stay one step ahead in the ongoing battle against cybercrime.
Links
- See what I’m up to on Twitter: https://twitter.com/R_Eric_Kiser
- Subscribe! https://medium.com/@ekiser_48014/subscribe
- Linkedln — https://www.linkedin.com/in/r-eric-kiser-43b35a263/
