The CSV security behavior upload allows you to upload events for security behaviors. These events are used to calculate security behavior and risk scores.
The CSV upload replicates the functionality available in the API, making it accessible to anyone.
Uploads aren’t reversible so make sure you test with limited impact before committing to large volume uploads.
Preparing the CSV
Each security behaviour is uploaded separately. You’ll need to prepare a CSV for each security behavior you want to upload data for.
CSV fields
email (required) - the email address for the user the event is associated with. There must be a user with that email address in CybSafe for the email to be valid.
sebdb_uid (required) - SebDB reference ID for the security behaviour, e.g. SB087. This must match the SebDB ID for the security behavior you are uploading to.
event_name (required) - reference API docs for valid event names.
event_action (required) - reference API docs for valid event actions.
event_type (required) - reference API docs for valid event types.
event_datetime (optional) - datetime the event occurred in the format "YYYY-MM-DD HH:MM:SS" If not provided then the upload time will with used.
event_source (optional) - CybSafe will record the source as CybSafe CSV upload so this is additional optional metadata.
event_metadata (optional) - add optional metadata for the event in json format. E.g.
{ id: UUID, tag: "system tag" }
CSV requirements
Header row is required with field names (order doesn’t matter)
Comma separated values
New line for each event
Example CSV
event_datetime,email,event_name,event_action,event_type,sebdb_uid
2024-06-09 14:15:00,[email protected],PHISHING,EMAIL_REPORTED,POSITIVE,SB087
2024-06-05 14:15:00,[email protected],PHISHING,EMAIL_REPORTED,POSITIVE,SB087
Upload the CSV
Navigate to the security behavior page which can be found in Reports > Behaviors > Behavior comparison and searching for the SebDB ID in the table of behaviors.
Find the CSV upload tab in the page and click on it.
Click the Choose CSV file button.
Select the relevant CSV file for the security.
Click Upload CSV.
If there are no errors then the events will be uploaded and a new successful upload entry is shown in the uploads table for that security behavior. If there are errors those errors are shown and a new failed upload entry is shown in the uploads table for that security behavior.
Troubleshooting upload errors
Check the CSV fields section for formats and requirements for each field.
After events are uploaded
Once processed events will display in activity logs for that security behavior, in the risk reports and in the user risk page. Reload the page to refresh the activity data.
Overnight the scores for security behaviors and risks will be calculated using the new behavior event data.
Deleting or editing uploaded behavior events
Once uploaded behavior events can’t be deleted or edited.