simulation resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represent an attack simulation and training campaign of a tenant.

Attack simulation and training is a service available as part of Microsoft Defender for Office 365. This service lets users in a tenant experience a realistic benign phishing attack and learn from it. The service enables tenant administrators to simulate, assign trainings, and read derived insights into online behaviors of users in the phishing simulations. The service provides attack simulation reports that help tenants identify security knowledge gaps, so that they can further train their users to decrease their susceptibility to attacks.

The attack simulation and training API enables tenant administrators to list launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.

Methods

Method Return type Description
List simulations simulation collection Get a list of the simulation objects and their properties.

Properties

Property Type Description
attackTechnique simulationAttackTechnique The social engineering technique used in the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, credentialHarvesting, attachmentMalware, driveByUrl, linkInAttachment, linkToMalwareFile, unknownFutureValue. For more information on the types of social engineering attack techniques, see simulations.
attackType simulationAttackType Attack type of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, social, cloud, endpoint, unknownFutureValue.
cleanupArtifacts Boolean Flag representing if artifacts were cleaned up in the attack simulation and training campaign.
completionDateTime DateTimeOffset Date and time of completion of the attack simulation and training campaign. Supports $filter and $orderby.
createdBy emailIdentity Identity of the user who created the attack simulation and training campaign.
createdDateTime DateTimeOffset Date and time of creation of the attack simulation and training campaign.
description String Description of the attack simulation and training campaign.
displayName String Display name of the attack simulation and training campaign. Supports $filter and $orderby.
enableRegionTimezoneDelivery Boolean Flag representing whether to enable or disable timezone-aware delivery of phishing payload in the attack simulation and training campaign.
id String ID of the attack simulation and training campaign.
includeAllAccountTargets Boolean Flag representing inclusion of all the users of a tenant in the attack simulation and training campaign.
isAutomated Boolean Flag representing if the attack simulation and training campaign was created from a simulation automation flow. Supports $filter and $orderby.
lastModifiedBy emailIdentity Identity of the user who most recently modified the attack simulation and training campaign.
lastModifiedDateTime DateTimeOffset Date and time of the most recent modification of the attack simulation and training campaign.
launchDateTime DateTimeOffset Date and time of the launch/start of the attack simulation and training campaign. Supports $filter and $orderby.
payloadDeliveryPlatform payloadDeliveryPlatform Method of delivery of the phishing payload used in the attack simulation and training campaign. Possible values are: unknown, sms, email, teams, unknownFutureValue.
payloadSource payloadSource Source of phishing payload in the attack simulation and training campaign. Possible values are: unknown, global, tenant, unknownFutureValue.
report simulationReport Report of the attack simulation and training campaign.
status simulationStatus Status of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, draft, inProgress, scheduled, completed, partiallyCompleted, failed, cancelled, excluded, deleted, included, unknownFutureValue.
trainingAssignmentPreference trainingAssignmentPreference Preference of the tenant admin to assign training to users in the attack simulation and training campaign. Possible values are: unknown, auto, manual, unknownFutureValue.
trainingContentPreference trainingContentPreference Preference of the tenant admin for the source of training content to assign to users in the attack simulation and training campaign. Possible values are: unknown, microsoft, custom, noTraining, unknownFutureValue.
trainingDueDateTime DateTimeOffset Date and time before which the trainings need to be completed by users in the attack simulation and training campaign.

simulationAttackTechnique values

Member Description
unknown Attack technique not defined.
credentialHarvesting Attack technique that involves an end user supplying credentials.
attachmentMalware Attack technique that involves an end user clicking an attachment.
driveByUrl Attack technique that involves an end user clicking a URL link in the phishing payload.
linkInAttachment Attack technique that involves an end user clicking a URL link in an attachment.
linkToMalwareFile Attack technique that involves an end user clicking a URL link to a malware file.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

simulationAttackType values

Member Description
unknown Attack type not identified.
social Attack that uses social skills to manipulate victims psychologically, creating a false sense of curiosity, urgency, or fear.
cloud Attack on a host or user in a cloud environment, for example, denial of service attacks.
endpoint Attack on endpoints of a corporate network, such as desktops, laptops, mobile phones, Internet-of-things devices.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

payloadSource values

Member Description
unknown Payload source not identified.
global Payload from a collection of payloads supplied by Microsoft.
tenant Payload from a collection of payloads supplied by tenant.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

trainingAssignmentPreference values

Member Description
unknown Training assignment preference not identified.
auto Assign trainings to end users based on pre-defined criteria.
manual Assign trainings to end users based on admin-defined criteria.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

trainingContentPreference values

Member Description
unknown Training content preference not identified.
microsoft Training content from a collection of trainings supplied by Microsoft.
custom Training content supplied by tenant.
noTraining No training assignment to end users as part of the campaign.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

Relationships

None.

JSON representation

The following is a JSON representation of the resource.

{
  "@odata.type": "#microsoft.graph.simulation",
  "id": "String (identifier)",
  "displayName": "String",
  "description": "String",
  "attackType": "String",
  "attackTechnique": "String",
  "status": "String",
  "createdDateTime": "String (timestamp)",
  "createdBy": {
    "@odata.type": "microsoft.graph.emailIdentity"
  },
  "lastModifiedDateTime": "String (timestamp)",
  "lastModifiedBy": {
    "@odata.type": "microsoft.graph.emailIdentity"
  },
  "launchDateTime": "String (timestamp)",
  "completionDateTime": "String (timestamp)",
  "includeAllAccountTargets": "Boolean",
  "enableRegionTimezoneDelivery": "Boolean",
  "isAutomated": "Boolean",
  "cleanupArtifacts": "Boolean",
  "payloadSource": "String",
  "payloadDeliveryPlatform": "String",
  "trainingAssignmentPreference": "String",
  "trainingContentPreference": "String",
  "trainingDueDateTime": "String (timestamp)",
  "report": {
    "@odata.type": "microsoft.graph.simulationReport"
  }
}

See also