simulation.md

title	simulation resource type
description	Represents an attack simulation training campaign in a tenant.
author	stuartcl
ms.localizationpriority	medium
ms.subservice	security
doc_type	resourcePageType
ms.date	03/27/2024

simulation resource type

Namespace: microsoft.graph

Represents an attack simulation training campaign in a tenant.

Attack simulation and training is a service available as part of Microsoft Defender for Office 365. This service lets tenant users experience a realistic benign phishing attack and learn from it. The service enables tenant administrators to simulate, assign trainings, and read derived insights into online behaviors of users in the phishing simulations. The service provides attack simulation reports that help tenants identify security knowledge gaps, so that they can further train their users to decrease their susceptibility to attacks.

The attack simulation and training API enables tenant administrators to list launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.

Inherits from entity.

Methods

Method	Return type	Description
List simulations	simulation collection	Get a list of attack simulation campaigns for a tenant.
Create simulation	simulation	Create a new simulation object.
Get simulation	simulation	Get an attack simulation campaign for a tenant.
Update simulation	simulation	Update the properties of a simulation object.
Delete simulation	None	Delete a simulation object.
Get payload	None	Get a payload object.
Get loginPage	None	Get a loginPage object.
Get landingPage	None	Get a landingPage object.

Properties

Property	Type	Description
attackTechnique	simulationAttackTechnique	The social engineering technique used in the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, credentialHarvesting, attachmentMalware, driveByUrl, linkInAttachment, linkToMalwareFile, unknownFutureValue, oAuthConsentGrant. Use the Prefer: include-unknown-enum-members request header to get the following values from this evolvable enum: oAuthConsentGrant. For more information on the types of social engineering attack techniques, see simulations.
attackType	simulationAttackType	Attack type of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, social, cloud, endpoint, unknownFutureValue.
automationId	String	Unique identifier for the attack simulation automation.
completionDateTime	DateTimeOffset	Date and time of completion of the attack simulation and training campaign. Supports $filter and $orderby.
createdBy	emailIdentity	Identity of the user who created the attack simulation and training campaign.
createdDateTime	DateTimeOffset	Date and time of creation of the attack simulation and training campaign.
description	String	Description of the attack simulation and training campaign.
displayName	String	Display name of the attack simulation and training campaign. Supports $filter and $orderby.
durationInDays	Int32	Simulation duration in days.
endUserNotificationSetting	endUserNotificationSetting	Details about the end user notification setting.
excludedAccountTarget	accountTargetContent	Users excluded from the simulation.
id	String	Unique identifier for the attack simulation and training campaign. Inherited from entity.
includedAccountTarget	accountTargetContent	Users targeted in the simulation.
isAutomated	Boolean	Flag that represents if the attack simulation and training campaign was created from a simulation automation flow. Supports $filter and $orderby.
lastModifiedBy	emailIdentity	Identity of the user who most recently modified the attack simulation and training campaign.
lastModifiedDateTime	DateTimeOffset	Date and time of the most recent modification of the attack simulation and training campaign.
launchDateTime	DateTimeOffset	Date and time of the launch/start of the attack simulation and training campaign. Supports $filter and $orderby.
oAuthConsentAppDetail	oAuthConsentAppDetail	OAuth app details for the OAuth technique.
payloadDeliveryPlatform	payloadDeliveryPlatform	Method of delivery of the phishing payload used in the attack simulation and training campaign. Possible values are: unknown, sms, email, teams, unknownFutureValue.
report	simulationReport	Report of the attack simulation and training campaign.
status	simulationStatus	Status of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, draft, running, scheduled, succeeded, failed, cancelled, excluded, unknownFutureValue.
trainingSetting	trainingSetting	Details about the training settings for a simulation.

simulationStatus values

Member	Description
unknown	The simulation status is not defined.
draft	The simulation is in draft mode.
running	The simulation is running.
scheduled	The simulation is scheduled.
succeeded	The simulation has succeeded.
failed	The simulation has failed.
cancelled	The simulation is cancelled.
excluded	The simulation is excluded.
unknownFutureValue	Evolvable enumeration sentinel value. Do not use.

simulationAttackTechnique values

Member	Description
unknown	Attack technique not defined.
credentialHarvesting	Attack technique that involves an end user supplying credentials.
attachmentMalware	Attack technique that involves an end user clicking an attachment.
driveByUrl	Attack technique that involves an end user clicking a URL link in the phishing payload.
linkInAttachment	Attack technique that involves an end user clicking a URL link in an attachment.
linkToMalwareFile	Attack technique that involves an end user clicking a URL link to a malware file.
unknownFutureValue	Evolvable enumeration sentinel value. Do not use.
oAuthConsentGrant	Attack technique that involves an end user who gives access consent to an app.

simulationAttackType values

Member	Description
unknown	Attack type not identified.
social	Attack that uses social skills to manipulate victims psychologically, creating a false sense of curiosity, urgency, or fear.
cloud	Attack on a host or user in a cloud environment, for example, denial of service attacks.
endpoint	Attack on endpoints of a corporate network, such as desktops, laptops, mobile phones, and Internet of Things (IoT) devices.
unknownFutureValue	Evolvable enumeration sentinel value. Do not use.

simulationContentStatus values

Member	Description
unknown	The simulation content status is not defined.
draft	The simulation content status is in draft state.
ready	The simulation content status is in ready state.
archive	The simulation content status is archive state.
delete	The simulation content status is in delete state.
unknownFutureValue	Evolvable enumeration sentinel value. Do not use.

simulationContentSource values

Member	Description
unknown	The simulation content source is not defined.
global	The simulation content source is global.
tenant	The simulation content source is tenant.
unknownFutureValue	Evolvable enumeration sentinel value. Do not use.

Relationships

Relationship	Type	Description
landingPage	landingPage	The landing page associated with a simulation during its creation.
loginPage	loginPage	The login page associated with a simulation during its creation.
payload	payload	The payload associated with a simulation during its creation.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.simulation",
  "attackTechnique": "String",
  "attackType": "String",
  "automationId": "String",
  "completionDateTime": "String (timestamp)",
  "createdBy": {"@odata.type": "microsoft.graph.emailIdentity"},
  "createdDateTime": "String (timestamp)",
  "description": "String",
  "displayName": "String",
  "durationInDays": "Int32",
  "endUserNotificationSetting": {"@odata.type": "microsoft.graph.endUserNotificationSetting"},
  "excludedAccountTarget": {"@odata.type": "microsoft.graph.accountTargetContent"},
  "id": "String (identifier)",
  "includedAccountTarget": {"@odata.type": "microsoft.graph.accountTargetContent"},
  "isAutomated": "Boolean",
  "lastModifiedBy": {"@odata.type": "microsoft.graph.emailIdentity"},
  "lastModifiedDateTime": "String (timestamp)",
  "launchDateTime": "String (timestamp)",
  "oAuthConsentAppDetail": {"@odata.type": "microsoft.graph.oAuthConsentAppDetail"},
  "payloadDeliveryPlatform": "String",
  "report": {"@odata.type": "microsoft.graph.simulationReport"},
  "status": "String",
  "trainingSetting": {"@odata.type": "microsoft.graph.trainingSetting"}
}

Related content

• Simulate a phishing attack
• Get started using attack simulation training.