Create an Attack Simulator training simulation for users who did not report a phishing attempt

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

This playbook creates an educational Attack Simulator 'How-To Guide' simulation for end-users who failed to report a message as phishing (e.g. reported as junk, deleted the email, etc.) to the SOC.

Attribute	Value
Type	Playbook
Solution	Microsoft Defender XDR
Source	View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Additional Documentation

📄 Source: AttackSimulatorTrainingNonReporters/readme.md

Perform Attack Simulator training for Phishing non-reporters

Summary

This playbook will execute using an incident based trigger and determine which mailboxes received malicious phishing emails, and calculate which users failed to report a message as phishing (e.g. reported as junk, deleted the email, etc.) to the SOC. It will trigger an Attack Simulator 'How-To Guide' simulation to educate these end-users on the correct response when receiving a Phish email in an inbox.

Run Playbook within MDO Incident

How-To Guide simulation created in Attack Simulator for non-reporting users

Outlook inbox of the Teaching Guide email

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- Workflow Name: Enter the name of the Logic App to deploy (Default: TriggerASTNonReporting)
- Email Address: Enter an email address. This will only control the 'Created By' field in the admin portal for any simulations created by the runbook. (This does not modify the sender email address for emails sent via this runbook, which is configured as part of the Attack Simulator payload.)

Post-Deployment instructions

After deployment, the following Graph API scopes (Application) still need to be added to the Managed Service Principal that was created.

SecurityIncident.Read.All
SecurityAlert.Read.All
ThreatHunting.Read.All
AttackSimulation.ReadWrite.All

This can be done by running the addGraphPermissions.ps1 script from this repository in PowerShell.

Ensure you have the required PowerShell modules to run this script by running:

Install-Module -Name Microsoft.Graph.Authentication,Microsoft.Graph.Applications

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Playbooks · Back to Microsoft Defender XDR