Reports API overview for attack simulation training as part of Microsoft Defender for Office 365
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
This section describes reporting capabilities of Microsoft Defender for Office 365, specifically APIs that access reports on a tenant's participation in attack simulation training. Attack simulation trainings set up benign cyberattack simulations to train users in the tenant to increase their awareness, and help identify vulnerable users.
What role do the attack simulation reports play in enterprise defense?
Attack simulation reports help tenant administrators identify security knowledge gaps, so that they can further train their users to decrease their susceptibility to attacks. The attack simulation training service is part of Microsoft Defender for Office 365 which safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Microsoft Defender for Office 365 belongs to the Microsoft 365 Defender suite which includes the following services:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
Microsoft 365 Defender is a unified enterprise defense suite that helps detect security risks, investigate attacks to an organization, and prevent harmful activities automatically. It provides a central administrators portal (https://security.microsoft.com/) that combines protection, detection, investigation, and response to email, collaboration, identity, and device threats.
To access attack simulation training, open the Microsoft 365 Defender portal, go to Email & collaboration > Attack simulation training.
Authorization
Microsoft Graph controls access to resources using permissions. You must specify the permissions you need in order to access reports resources. For more information, see Microsoft Graph permissions reference and reports permissions.
What kinds of data do the reports return?
| Kinds of data | Resource | API |
|---|---|---|
| Vulnerable repeat offenders in a tenant | attackSimulationRepeatOffender | getAttackSimulationRepeatOffenders |
| Simulation data and results for each user in a tenant | attackSimulationSimulationUserCoverage | getAttackSimulationSimulationUserCoverage |
| Training coverage for each user in a tenant | attackSimulationTrainingUserCoverage | getAttackSimulationTrainingUserCoverage |
Caution
Make sure to access the following methods from the https://graph.microsoft.com/beta/reports/security endpoint:
- getAttackSimulationRepeatOffenders
- getAttackSimulationSimulationUserCoverage
- getAttackSimulationTrainingUserCoverage
The query endpoints for these methods have changed from https://graph.microsoft.com/beta/reports to https://graph.microsoft.com/beta/reports/security.
Methods on the https://graph.microsoft.com/beta/reports/ endpoint are deprecated as of July 15, 2022, and will stop returning data starting August 20, 2022.
Next steps
Reports resources and APIs can open up new ways for you to engage with users and manage their experiences with Microsoft Graph. To learn more:
- Drill down on the methods and properties of the resources most helpful to your scenario.
- Try the API in the Graph Explorer.