From knowbe4
Manages KnowBe4 users and groups: lifecycle, risk scores, group membership, and event tracking for security awareness campaigns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/knowbe4:usersWhen to use
When working with user lifecycle management, group creation and membership, risk scores, risk score history, user event tracking. Use when: knowbe4 user, knowbe4 users, knowbe4 group, user risk score, risk score history, user management knowbe4, group management, user provisioning, user status, employee risk, security risk score, or user event.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Users and groups are the foundation of KnowBe4's security awareness platform. Users represent individual employees who receive phishing simulations and training. Groups organize users for targeted campaign delivery, reporting segmentation, and risk analysis. Each user has a risk score calculated from their phishing test performance and training completion, providing a quantitative measure of hu...
Users and groups are the foundation of KnowBe4's security awareness platform. Users represent individual employees who receive phishing simulations and training. Groups organize users for targeted campaign delivery, reporting segmentation, and risk analysis. Each user has a risk score calculated from their phishing test performance and training completion, providing a quantitative measure of human security risk.
PROVISIONED ──> ACTIVE ──> ARCHIVED
│
└──> SUSPENDED
The KnowBe4 risk score quantifies an individual user's susceptibility to social engineering:
| Score Range | Risk Level | Description |
|---|---|---|
| 0-20 | Low | User consistently passes phishing tests and completes training |
| 20-40 | Moderate-Low | Occasional failures but generally aware |
| 40-60 | Moderate | Average susceptibility, needs regular training |
| 60-80 | High | Frequently fails phishing tests, priority for remediation |
| 80-100 | Critical | Consistently fails tests, immediate intervention needed |
The risk score is influenced by:
| Factor | Weight | Description |
|---|---|---|
| Phishing click rate | High | Percentage of phishing tests clicked |
| Data entry rate | Very High | Submitted credentials on landing pages |
| Training completion | Medium | Percentage of assigned training completed |
| Reporting rate | Medium (positive) | Frequency of reporting phishing via PAB |
| Time to click | Low | How quickly user clicked (impulse vs. deliberate) |
| Recency | Modifier | Recent events weighted more heavily |
| Type | Description | Use Case |
|---|---|---|
| Department | Organizational department (IT, Sales, HR) | Department-specific campaigns |
| Location | Office location or region | Location-based targeting |
| Role-based | Job function (Executive, Manager, Staff) | Role-specific content |
| Risk-based | Grouped by risk score range | Targeted remediation |
| Custom | Manual grouping | Ad-hoc campaigns |
| Smart | Auto-populated based on criteria | Dynamic targeting |
| Field | Type | Description |
|---|---|---|
id | int | Unique user identifier |
employee_number | string | HR employee number |
first_name | string | First name |
last_name | string | Last name |
email | string | Primary email address |
job_title | string | Job title |
department | string | Department name |
location | string | Office location |
division | string | Division |
manager_name | string | Manager's name |
manager_email | string | Manager's email |
employee_start_date | datetime | Hire date |
phish_prone_percentage | float | Individual phish-prone percentage |
current_risk_score | float | Current calculated risk score |
status | string | active, archived, suspended |
groups | array | Groups the user belongs to |
aliases | array | Email aliases |
joined_on | datetime | When user was added to KnowBe4 |
last_sign_in | datetime | Last platform sign-in |
custom_field_1 through custom_field_4 | string | Custom fields |
custom_date_1 | datetime | Custom date field |
organization | string | Organization name |
language | string | Preferred language |
comment | string | Admin notes |
| Field | Type | Description |
|---|---|---|
group_id | int | Unique group identifier |
name | string | Group name |
group_type | string | Type of group |
provisioning_managed | boolean | Managed by provisioning (AD/SCIM) |
member_count | int | Number of members |
current_risk_score | float | Group average risk score |
status | string | active, archived |
| Field | Type | Description |
|---|---|---|
risk_score | float | Risk score at this point in time |
date | datetime | Date of the risk score calculation |
change | float | Change from previous score |
factors | object | Breakdown of contributing factors |
| Tool | Description | Key Parameters |
|---|---|---|
knowbe4_users_list | List all users | status, group_id, page, per_page |
knowbe4_users_get | Get user details | user_id |
knowbe4_users_risk_score_history | Get risk score history for a user | user_id, page, per_page |
knowbe4_users_list_events | List events for a user | user_id, event_type, page |
knowbe4_groups_list | List all groups | status, page, per_page |
knowbe4_groups_get | Get group details | group_id |
knowbe4_groups_list_members | List members of a group | group_id, page, per_page |
knowbe4_groups_risk_score_history | Get risk score history for a group | group_id, page |
knowbe4_users_get for current risk scoreknowbe4_users_listcurrent_risk_score descendingknowbe4_groups_list| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid user parameters | Check email format, required fields |
| 401 | Invalid API token | Verify KNOWBE4_API_KEY |
| 403 | Insufficient permissions | API token needs User Management permissions |
| 404 | User not found | Verify user_id exists |
| 404 | Group not found | Verify group_id exists |
| 409 | Duplicate email | User with this email already exists |
| 429 | Rate limit exceeded | Implement backoff (see api-patterns) |
| Issue | Cause | Resolution |
|---|---|---|
| Risk score is null | New user with no test data | Wait for first phishing test |
| User not in expected group | AD sync not configured | Check provisioning settings |
| Archived user still in reports | Historical data preserved by design | Filter by status=active |
| Group member count mismatch | Includes archived users | Filter by active status |
| Custom fields empty | Not configured in console | Set up in Account Settings |
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin knowbe4Generates KnowBe4 security awareness reports: phishing statistics, training completion, risk scores, trend analysis, benchmarks, and executive dashboards. Interprets metrics and communicates security posture.
Works with Proofpoint people-centric security: VAP reports, top clickers, user risk scoring, attack index, and user-level threat analytics for identifying high-risk users.
Lists and looks up Blumira users, finds user IDs for assignment, and audits user access. Invoke when managing Blumira user assignments.