Skip to main content

KnowBe4 API Source


The KnowBe4 API integration collects user events data into Sumo Logic for storage, analysis, and alerting. It ingests events data from the Events API, phishing security tests from the Phishing Security Tests API, and recipient results from the Recipient Results API.


Note that access to KnowBe4 APIs is limited to Platinum and Diamond customers, and the _siemparser is currently only available for the External Events source.


Before you begin setting up your KnowBe4 Source, which is required to connect to the KnowBe4 API, you'll need to configure your integration with the Region and KnowBe4 API Token.


The Region is the region where your KnowBe4 account is located. To know your region, follow the steps below:

  1. Log in to the KnowBe4 application.
  2. At the top of the browser, you will see the Region inside the address bar.
  3. Choose the Region from the dropdown based on the location of your KnowBe4 account. The following are the supported regions:
    • US
    • EU
    • CA
    • UK
    • DE

API Token

The API security token is used to authenticate with KnowBe4 API. To get the KnowBe4 API token, follow the steps below:

  1. Log in to the KnowBe4 application as an Admin user.
  2. Navigate to the Account Settings.
  3. Click Account Integrations from the left menu, and then click API option.
  4. Under the API section, checkmark the Enable Reporting API Access. The KnowBe4 Secure API token is displayed.
  5. Save this API key to use while configuring the Source.
  6. Click Save Changes.

Metadata Field

If the Source is configured with the SIEM forward option, the metadata field _siemparser will be set to /Parsers/System/KnowBe4/KnowBe4 KMSAT.

Data Sources

The KnowBe4 integration fetches two types of data sources for the KnowBe4 account.

  1. Phishing Tests. Our integration fetches a list of all recipients for each phishing security test on the KnowBe4 account.
  2. External Events. Our integration retrieves all user events for the KnowBe4 account. This data type is disabled by default.


A KnowBe4 API integration Source is an integrated Security Awareness Training and Simulated Phishing platform that helps to train users to understand the dangers of spam, phishing, spear phishing, malware, ransomware, and social engineering through simulated phishing and security awareness training.

When a KnowBe4 API Source is created, it goes through the following states:

  1. Pending. Once the Source is submitted, it is validated, stored, and placed in a Pending state.
  2. Started. A collection task is created on the Hosted Collector.
  3. Initialized. The task configuration is completed in Sumo Logic.
  4. Authenticated. The Source is successfully authenticated with KnowBe4.
  5. Collecting. The Source is actively collecting data from KnowBe4.

If the Source has any issues during any one of these states, it is placed in an Error state.

When you delete the Source, it is placed in a Stopping state. When it has successfully stopped, it is deleted from your Hosted Collector.

On the Collection page, the Health and Status for Sources is displayed. Use Health Events to investigate issues with collection.

Hover your mouse over the status icon to view a tooltip with a count of the detected errors and warnings.
hover c2c error.png

Set up KnowBe4 Source

When you create a KnowBe4 API Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.

To configure the KnowBe4 API Source:

  1. In Sumo Logic, select Manage Data > Collection > Collection
  2. On the Collectors page, click Add Source next to a Hosted Collector.
  3. Select KnowBe4 icon.
  4. Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
  5. (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
  6. (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and value.
    • green check circle.png A green circle with a check mark is shown when the field exists in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
  7. In Region, choose the region where your KnowBe4 account is located. See Region section to know your Region.
  8. In API Key, authenticate your account by entering your secret API key. You can access your API key or generate a new one from User Event API Management Console. See API Token section.
  9. In Data Types, you can select the Phishing Tests data type to fetch a list of all recipients for each phishing security test on the KnowBe4 account. To retrieve the External User events data, you need to raise a request to Sumo Logic support to enable this data type.
  10. In Phishing Poll Interval, enter the phishing poll interval frequency, which must be between 1 hour and 24 hours.
  11. When you are finished configuring the Source, click Submit.

Error types

When Sumo Logic detects an issue, it is tracked by Health Events. The following table shows three possible error types. It tells the reason for the error, if the source attempts to retry, and the name of the event log in the Health Event Index.

TypeReasonRetriesRetry BehaviorHealth Event Name
ThirdPartyConfigNormally due to an invalid configuration. You'll need to review your Source configuration and make an update.No retries are attempted until the Source is updated.Not applicableThirdPartyConfigError
ThirdPartyGenericNormally due to an error communicating with the third-party service APIs.YesThe Source will retry indefinitely.ThirdPartyGenericError
FirstPartyGenericNormally due to an error communicating with the internal Sumo Logic APIs.YesThe Source will retry indefinitely.FirstPartyGenericError

Restarting your Source

If your Source encounters ThirdPartyConfig errors, you can restart it from either the Sumo Logic UI or Sumo Logic API.


To restart your source in the Sumo Logic platform, follow the steps below:

  1. Open the Collection page, and go to Manage Data > Collection > Collection.
  2. Select the source and click the information icon on the right side of the row.
  3. The API usage information popup is displayed. Click the Restart Source button on the bottom left.
  4. Click Confirm to send the restart request.
  5. The bottom left of the platform will provide a notification informing you the request was successful.


To restart your source using the Sumo Management API, follow the instructions below:

  • Method: POST
  • Example endpoint:{collector_id}/sources/{source_id}/action/restart

Sumo Logic endpoints like are different in deployments outside us1. For example, an API endpoint in Europe would begin A service endpoint in us2 (Western U.S.) would begin For more information, see Sumo Logic Endpoints.

JSON configuration

Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for details. 

configJSON ObjectYesContains the configuration-parameters of the
schemaRefJSON ObjectYesUse {"type":"KnowBe4 KMSAT"} for KnowBe4 Source.not modifiable
sourceTypeStringYesUse Universal for KnowBe4 Source.not modifiable

Config Parameters

nameStringYesType the desired name of the Source and it must be unique per Collector. This value is assigned to the metadata field _sourcemodifiable
descriptionStringNoType the description of the Source.modifiable
categoryStringNoType the category of the source. This value is assigned to the metadata field _sourceCategory.modifiable
fieldsJSON ObjectNoJSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM.modifiable
regionStringYesRegion of the KnowBe4 application.modifiable
apiKeyStringYesSecret api key to authenticate your account.modifiable
dataTypesArrayYesData sources to fetch from KnowBe4.modifiable
phishingPollIntervalIntegerYesThe Polling interval for phishing data requests. The minimum interval is 1 hour, and the maximum is 24 hours.modifiable

JSON Example

"api.version": "v1",
"source": {
"config": {
"name": "KnowBe4",
"description": "Test Source",
"category": "source_category",
"region": "US",
"apiKey": "************",
"dataTypes": [
"phishingPollInterval": 1
"schemaRef": {
"type": "KnowBe4 KMSAT"
"sourceType": "Universal"


There are two limitations to access KnowBe4 APIs:

  • Access to the KnowBe4 Event APIs is limited to 10 requests per licensed user account per day, with a maximum of 4 requests per second.
  • Access to the KnowBe4 Phishing APIs is limited to 1,000 requests per day plus the number of licensed users on the account. The API allows a maximum of 4 requests per second, and has a burst limit of 50 requests per minute which starts around 5 minutes and the daily limit starts around 24 hours from the first API request.
  • Access to the External Events Data type is disabled by default, and can be enabled on requests. Contact Sumo Logic support to enable this data type.
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.