Connecting your KnowBe4 account will automate the evidence collection process when your personnel completes any assigned training (Security Awareness, HIPAA, or AI Awareness). You will determine which KnowBe4 campaigns belong to which training and Drata will retrieve completion of those campaigns as evidence.
BEFORE DIVING IN
Before connecting the KnowBe4 connection, you must have the following prerequisites.
Access to KnowBe4’s Reporting API which is available for Platinum and Diamond customers. Learn more about KnowBe4's Reporting API.
Have at least one campaign in your KnowBe4 account with one of the following statuses: Created, Pending, In Progress, Active, Canceled, Closed.
Ensure that all personnel are enrolled in the correct KnowBe4 campaigns.
How Drata Determines Training Compliance
For each personnel, Drata determines training compliance based on campaign selection, enrollment, and completion status.
Campaign Selection
Select the campaigns under the "Security Training Campaigns" in the KnowBe4 connection drawer.
If you have the HIPAA or NIST AI frameworks enabled, you can select the campaigns related to each training. If you are not using KnowBe4 for a specific training, you do not need to select the campaigns for it. Drata consider campaigns that are selected within the connection drawer.
Example with Security Training:
Security Campaigns
☑ Campaign A
☑ Campaign B
☐ Campaign C
Enrollment and completion status
Drata maps the selected campaigns to Security Awareness Training requirements and verifies who is enrolled in the campaigns. Each individual is required to complete all the selected campaigns they are enrolled in to count towards completion of Security Awareness Training.
Drata Compliance Example:
| (Selected) Campaign A | (Selected) Campaign B | (Not selected) Campaign C |
Enrollment | 👩🚀🧙♀️🦸♀️ | 👩🚀🧙♀️🥷 | 👩🚀🧙♀️🦸♀️🥷 |
Completion | 🟢🛑🟢 | 🟢🟢🛑 | 🟢🛑🟢🛑 |
In the previous table, we have 4 representative individuals.
👩🚀 : Enrolled in both selected campaigns for Security Awareness Training and has completed both. They will be marked as compliant in Drata for Security Training.
🧙♀️: Enrolled in both selected campaigns for Security Awareness Training, but has only completed one. They will not be marked as compliant in Drata for Security Training.
🦸♀️: Enrolled in one selected campaign for Security Training and has completed it. They will be marked as compliant in Drata for Security Training.
🥷: Enrolled in one selected campaign for Security Training, but has not completed it. They will not be marked as compliant in Drata for Security Training.
Note: While all 4 individuals are enrolled in Campaign C, it is not selected and is ignored by Drata.
Character | Campaign A | Campaign B | Campaign C | Overall Status for Security Training |
👩🚀 | Enrolled: 🟢 | Enrolled: 🟢 | Not Selected | 🟢 2 |
🧙♀️ | Enrolled: 🛑 | Enrolled: 🟢 | Not Selected | 🛑 1/2 |
🦸♀️ | Enrolled: 🟢 | Not Enrolled | Not Selected | 🟢 |
🥷 | Not Enrolled | Enrolled: 🛑 | Not Selected | 🛑 |
The same applies for HIPAA and AI Awareness training. If there is a campaign shared across multiple trainings, completion of that campaign will count towards respective training requirements accordingly.
Persistence
Drata only syncs training for individuals that are not yet compliant.
Once individuals are marked compliant for a training, Drata stops syncing their status from KnowBe4. This ensures that changes in KnowBe4 do not errantly overwrite that individual’s compliant status in Drata.
To reset one or more individual’s security awareness, go to https://help.drata.com/en/articles/5832422-reset-security-awareness-training
Connect KnowBe4 to Drata
Step 1: Prepare your KnowBe4 Reporting API Token
Note: Access to KnowBe4’s Reporting API is available for Platinum and Diamond customers. Learn more about KnowBe4's Reporting API.
Navigate to the KnowBe4 portal and open ‘Account Settings’ from under your username at the top right of the screen.
On the left side of your screen, select on ‘Account Integrations’ -> ‘API’.
Under ‘Reporting API’, select ‘Enable Reporting API Access’.
Select ‘Save Changes’ at the bottom of the screen.
Note: Failure to complete this step results in an inactive API token and inability to sync KnowBe4 data to Drata.
Under ‘Reporting API’ copy the ‘API Token,’ you will need this in your clipboard for the next section
Save the base url of your KnowBe4 portal in your browser’s address bar, you will need to know this for the next section.
Step 2: Connect KnowBe4 to Drata
Navigate to the Drata portal and login.
In the bottom left of your screen, select 'Connections’.
Search for ‘KnowBe4’ and ‘Connect’.
You will be prompted to complete the connection with the details you prepared in the previous section.
API Token: Paste the KnowBe4 Reporting API Token.
Server: Select the server depending on the base url you noted previously,
US for training.knowbe4.com
EU for eu.knowbe4.com
CA for ca.knowbe4.com
Once Drata has established a connection with KnowBe4, you will need to select which campaigns belong to which training. For more detail on campaign logic, go to the previous section, How Drata Determines Training Compliance.
Verify Settings
After connecting KnowBe4 to Drata, you will need to specify which training(s) will be automated by KnowBe4 from your Internal Security Setting. Go to Settings page and then select Internal Security.
On the Internal Security page, you can select "Use KnowBe4 for security awareness training".
My Drata: Employee Onboarding
Once connected, your personnel will see a KnowBe4 branded screen during their onboarding in My Drata, asking them to complete their training in KnowBe4. Below is an example of when KnowBe4 is enabled through internal security settings for Security Awareness Training.
We will update the personnel’s activity nightly and generate the completion certificates for anyone that has completed the assigned training.