Can I pull users from older simulations on Repeat Offenders Report API?

TryingNotToBeLikeABullInAChinaShop 30 Reputation points
2024-05-16T16:31:10.4733333+00:00

We have loads of users so we send out our Phishing Attack Simulations in groups to not overflow our service desk with people reporting suspicious emails. I have been asked to report on who is a repeat offender. I have made a Power BI Dashboard to use now and in future simulations, and used getAttackSimulationRepeatOffenders Graph API, but it only pulls Repeat Offenders from the last 10 simulations, and we've done 15 in our last wave of simulations. I think the report on MDE itself looks at all simulations but other than manually exporting from MDE, is there a way to pull it all automatically? I'm trying to make all our reporting as seamless as possible.

Many Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,107 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Martin Nöthig 0 Reputation points
    2024-06-18T09:00:51.13+00:00

    One possible workaround would be to use the endpoint "https://graph.microsoft.com/v1.0/reports/security/getAttackSimulationSimulationUserCoverage":

    Example response value:

    {
        "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.attackSimulationSimulationUserCoverage)",
        "value": [
            {
                "simulationCount": 27,
                "latestSimulationDateTime": "2024-06-18T...",
                "clickCount": 11,
                "compromisedCount": 7,
                "attackSimulationUser": {
                    "userId": "xxxx-xxxxx-xx-x-xxxxxx",
                    "displayName": "Jane Doe",
                    "email": "jane.doe@fcb-solutions.de"
                }
            },
            {
                "simulationCount": 62,
                "latestSimulationDateTime": "2024-06-18T...",
                "clickCount": 27,
                "compromisedCount": 23,
                "attackSimulationUser": {
                    "userId": "xxxx-xxxxx-xx-x-xxxxxx",
                    "displayName": "John Doe",
                    "email": "john.doe@fcb-solutions.de"
                }
            },
            ...
         ]
    }
    

    One would need to create a snapshot of the current numbers to use as an offset for future simulations. With that offset, one will know which user recently got compromised by a simulation.

    From my experience, that endpoint doesn't have a limitation of simulation.
    BEWARE though: If you want to exclude a simulation from this data, you must exclude the simulation and only then delete it. Otherwise, the numbers in this result are not adjusted.

    0 comments No comments