simulation resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents an attack simulation training campaign in a tenant.

Attack simulation and training is a service available as part of Microsoft Defender for Office 365. This service lets tenant users experience a realistic benign phishing attack and learn from it. The service enables tenant administrators to simulate, assign trainings, and read derived insights into online behaviors of users in the phishing simulations. The service provides attack simulation reports that help tenants identify security knowledge gaps, so that they can further train their users to decrease their susceptibility to attacks.

The attack simulation and training API enables tenant administrators to list launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.

Inherits from entity.

Methods

Method Return type Description
List simulations simulation collection Get a list of attack simulation campaigns for a tenant.
Get simulation simulation Get an attack simulation campaign for a tenant.

Properties

Property Type Description
attackTechnique simulationAttackTechnique The social engineering technique used in the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, credentialHarvesting, attachmentMalware, driveByUrl, linkInAttachment, linkToMalwareFile, unknownFutureValue. For more information on the types of social engineering attack techniques, see simulations.
attackType simulationAttackType Attack type of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, social, cloud, endpoint, unknownFutureValue.
automationId String Unique identifier for the attack simulation automation.
completionDateTime DateTimeOffset Date and time of completion of the attack simulation and training campaign. Supports $filter and $orderby.
createdBy emailIdentity Identity of the user who created the attack simulation and training campaign.
createdDateTime DateTimeOffset Date and time of creation of the attack simulation and training campaign.
description String Description of the attack simulation and training campaign.
displayName String Display name of the attack simulation and training campaign. Supports $filter and $orderby.
id String Unique identifier for the attack simulation and training campaign. Inherited from entity.
isAutomated Boolean Flag that represents if the attack simulation and training campaign was created from a simulation automation flow. Supports $filter and $orderby.
lastModifiedBy emailIdentity Identity of the user who most recently modified the attack simulation and training campaign.
lastModifiedDateTime DateTimeOffset Date and time of the most recent modification of the attack simulation and training campaign.
launchDateTime DateTimeOffset Date and time of the launch/start of the attack simulation and training campaign. Supports $filter and $orderby.
payloadDeliveryPlatform payloadDeliveryPlatform Method of delivery of the phishing payload used in the attack simulation and training campaign. Possible values are: unknown, sms, email, teams, unknownFutureValue.
report simulationReport Report of the attack simulation and training campaign.
status simulationStatus Status of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, draft, running, scheduled, succeeded, failed, cancelled, excluded, unknownFutureValue.

simulationStatus values

Member Description
unknown The simulation status is not defined.
draft The simulation is in draft mode.
running The simulation is running.
scheduled The simulation is scheduled.
succeeded The simulation has succeeded.
failed The simulation has failed.
cancelled The simulation is cancelled.
excluded The simulation is excluded.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

simulationAttackTechnique values

Member Description
unknown Attack technique not defined.
credentialHarvesting Attack technique that involves an end user supplying credentials.
attachmentMalware Attack technique that involves an end user clicking an attachment.
driveByUrl Attack technique that involves an end user clicking a URL link in the phishing payload.
linkInAttachment Attack technique that involves an end user clicking a URL link in an attachment.
linkToMalwareFile Attack technique that involves an end user clicking a URL link to a malware file.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

simulationAttackType values

Member Description
unknown Attack type not identified.
social Attack that uses social skills to manipulate victims psychologically, creating a false sense of curiosity, urgency, or fear.
cloud Attack on a host or user in a cloud environment, for example, denial of service attacks.
endpoint Attack on endpoints of a corporate network, such as desktops, laptops, mobile phones, and Internet of Things (IoT) devices.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.

Relationships

None.

JSON representation

The following is a JSON representation of the resource.

{
  "@odata.type": "#microsoft.graph.simulation",
  "attackTechnique": "String",
  "attackType": "String",
  "automationId": "String",
  "completionDateTime": "String (timestamp)",
  "createdBy": {
    "@odata.type": "microsoft.graph.emailIdentity"
  },
  "createdDateTime": "String (timestamp)",
  "description": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "isAutomated": "Boolean",
  "lastModifiedBy": {
    "@odata.type": "microsoft.graph.emailIdentity"
  },
  "lastModifiedDateTime": "String (timestamp)",
  "launchDateTime": "String (timestamp)",
  "payloadDeliveryPlatform": "String",
  "report": {
    "@odata.type": "microsoft.graph.simulationReport"
  },
  "status": "String"
}

See also