simulation resource type
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents an attack simulation training campaign in a tenant.
Attack simulation and training is a service available as part of Microsoft Defender for Office 365. This service lets tenant users experience a realistic benign phishing attack and learn from it. The service enables tenant administrators to simulate, assign trainings, and read derived insights into online behaviors of users in the phishing simulations. The service provides attack simulation reports that help tenants identify security knowledge gaps, so that they can further train their users to decrease their susceptibility to attacks.
The attack simulation and training API enables tenant administrators to list launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.
Inherits from entity.
Methods
| Method | Return type | Description |
|---|---|---|
| List simulations | simulation collection | Get a list of attack simulation campaigns for a tenant. |
| Create simulation | simulation | Create a new simulation object. |
| Get simulation | simulation | Get an attack simulation campaign for a tenant. |
| Update simulation | simulation | Update the properties of a simulation object. |
| Delete simulation | None | Delete a simulation object. |
| Get payload | None | Get a payload object. |
| Get loginPage | None | Get a loginPage object. |
| Get landingPage | None | Get a landingPage object. |
Properties
| Property | Type | Description |
|---|---|---|
| attackTechnique | simulationAttackTechnique | The social engineering technique used in the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, credentialHarvesting, attachmentMalware, driveByUrl, linkInAttachment, linkToMalwareFile, unknownFutureValue, oAuthConsentGrant. Note that you must use the Prefer: include-unknown-enum-members request header to get the following values from this evolvable enum: oAuthConsentGrant. For more information on the types of social engineering attack techniques, see simulations. |
| attackType | simulationAttackType | Attack type of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, social, cloud, endpoint, unknownFutureValue. |
| automationId | String | Unique identifier for the attack simulation automation. |
| completionDateTime | DateTimeOffset | Date and time of completion of the attack simulation and training campaign. Supports $filter and $orderby. |
| createdBy | emailIdentity | Identity of the user who created the attack simulation and training campaign. |
| createdDateTime | DateTimeOffset | Date and time of creation of the attack simulation and training campaign. |
| description | String | Description of the attack simulation and training campaign. |
| displayName | String | Display name of the attack simulation and training campaign. Supports $filter and $orderby. |
| durationInDays | Int32 | Simulation duration in days. |
| endUserNotificationSetting | endUserNotificationSetting | Details about the end user notification setting. |
| excludedAccountTarget | accountTargetContent | Users excluded from the simulation. |
| id | String | Unique identifier for the attack simulation and training campaign. Inherited from entity. |
| includedAccountTarget | accountTargetContent | Users targeted in the simulation. |
| isAutomated | Boolean | Flag that represents if the attack simulation and training campaign was created from a simulation automation flow. Supports $filter and $orderby. |
| lastModifiedBy | emailIdentity | Identity of the user who most recently modified the attack simulation and training campaign. |
| lastModifiedDateTime | DateTimeOffset | Date and time of the most recent modification of the attack simulation and training campaign. |
| launchDateTime | DateTimeOffset | Date and time of the launch/start of the attack simulation and training campaign. Supports $filter and $orderby. |
| oAuthConsentAppDetail | oAuthConsentAppDetail | OAuth app details for the OAuth technique. |
| payloadDeliveryPlatform | payloadDeliveryPlatform | Method of delivery of the phishing payload used in the attack simulation and training campaign. Possible values are: unknown, sms, email, teams, unknownFutureValue. |
| report | simulationReport | Report of the attack simulation and training campaign. |
| status | simulationStatus | Status of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, draft, running, scheduled, succeeded, failed, cancelled, excluded, unknownFutureValue. |
| trainingSetting | trainingSetting | Details about the training settings for a simulation. |
simulationStatus values
| Member | Description |
|---|---|
| unknown | The simulation status isn't defined. |
| draft | The simulation is in draft mode. |
| running | The simulation is running. |
| scheduled | The simulation is scheduled. |
| succeeded | The simulation is complete with success status. |
| failed | The simulation is complete with fail status. |
| cancelled | The simulation is cancelled. |
| excluded | The simulation is excluded. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
simulationAttackTechnique values
| Member | Description |
|---|---|
| unknown | Attack technique not defined. |
| credentialHarvesting | Attack technique that involves an end user supplying credentials. |
| attachmentMalware | Attack technique that involves an end user clicking an attachment. |
| driveByUrl | Attack technique that involves an end user clicking a URL link in the phishing payload. |
| linkInAttachment | Attack technique that involves an end user clicking a URL link in an attachment. |
| linkToMalwareFile | Attack technique that involves an end user clicking a URL link to a malware file. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
| oAuthConsentGrant | Attack technique that involves an end user who gives access consent to an app. |
| phishTraining | Attack technique that involves training end users on actions to be performed on a phish mail. |
simulationAttackType values
| Member | Description |
|---|---|
| unknown | Attack type not identified. |
| social | Attack that uses social skills to manipulate victims psychologically, creating a false sense of curiosity, urgency, or fear. |
| cloud | Attack on a host or user in a cloud environment, for example, denial of service attacks. |
| endpoint | Attack on endpoints of a corporate network, such as desktops, laptops, mobile phones, and Internet of Things (IoT) devices. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
simulationContentStatus values
| Member | Description |
|---|---|
| unknown | The simulation content status isn't defined. |
| draft | The simulation content status is in draft state. |
| ready | The simulation content status is in ready state. |
| archive | The simulation content status is archive state. |
| delete | The simulation content status is in delete state. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
simulationContentSource values
| Member | Description |
|---|---|
| unknown | The simulation content source isn't defined. |
| global | The simulation content source is global. |
| tenant | The simulation content source is tenant. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
Relationships
| Relationship | Type | Description |
|---|---|---|
| landingPage | landingPage | The landing page associated with a simulation during its creation. |
| loginPage | loginPage | The login page associated with a simulation during its creation. |
| payload | payload | The payload associated with a simulation during its creation. |
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.simulation",
"attackTechnique": "String",
"attackType": "String",
"automationId": "String",
"completionDateTime": "String (timestamp)",
"createdBy": {"@odata.type": "microsoft.graph.emailIdentity"},
"createdDateTime": "String (timestamp)",
"description": "String",
"displayName": "String",
"durationInDays": "Int32",
"endUserNotificationSetting": {"@odata.type": "microsoft.graph.endUserNotificationSetting"},
"excludedAccountTarget": {"@odata.type": "microsoft.graph.accountTargetContent"},
"id": "String (identifier)",
"includedAccountTarget": {"@odata.type": "microsoft.graph.accountTargetContent"},
"isAutomated": "Boolean",
"lastModifiedBy": {"@odata.type": "microsoft.graph.emailIdentity"},
"lastModifiedDateTime": "String (timestamp)",
"launchDateTime": "String (timestamp)",
"oAuthConsentAppDetail": {"@odata.type": "microsoft.graph.oAuthConsentAppDetail"},
"payloadDeliveryPlatform": "String",
"report": {"@odata.type": "microsoft.graph.simulationReport"},
"status": "String",
"trainingSetting": {"@odata.type": "microsoft.graph.trainingSetting"}
}