"Did What?" Conditions Summary
This table summarizes the Did What conditions.
For details, see Defining the "Did What?" Conditions.
Condition | Options | Options | Default | Options |
---|---|---|---|---|
Brought in a File - Did What | By downloading from website/web application | From Which Website/Web application? | Any website/web application |
Website name Website URL Website wiindow title Website category |
Which file? | Any file | Original file name | ||
MIP Label of the file? | Any label or no label | Original file label | ||
By saving attachment from email client | Which file? | Any file |
Original file name File size (in KBs) |
|
Destination? | Any destination |
Destination path The destination is a USB The destination is a sync folder |
||
MIP Label of the file? | Any label or no label | Original file label | ||
By taking a file from cloud storage sync folder | From which cloud storage sync folder? | Any supported sync folder | Vendor name | |
Which file? | Any file | Original file name | ||
MIP Label of the file? | Any label or no label | Original file label | ||
Copied Text Did What | Text Content | |||
Detect Connected USB - Did What | To which USB | |||
USB model | ||||
USB vendor | ||||
USB label | ||||
USB S/N | ||||
Email - Did What | Sent email using an email client | To | Any recipients |
All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist |
Sender address | Any address | Sender address | ||
Email subject | Any subject | Email subject | ||
Attachments | Any |
Email includes attachments Email attachments total size (in KBs) At least one attachment name Number of attachments |
||
Exfiltrated file by sending it via email | To | Any recipients |
All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist |
|
Sender address | Any address | Sender address | ||
Email subject | Any subject | Email subject | ||
What file origin | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
Which file | Any file |
Exfiltrated file name File size (in KBs) |
||
MIP Label of the file? | Any label or no label | Original file label | ||
Exfiltrated file by attaching it to an email client | What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
|
Which file? | Any file |
Exfiltrated file name File size (in KBs) |
||
MIP Label of the file? | Any label or no label | Original file label | ||
Saved file from an email client | Which file? | Any file |
Original file name File size (in KBs) |
|
Destination | Any destination |
Destination path The destination is a USB The destination is a sync folde |
||
MIP Label of the file? | Any label or no label | Original file label | ||
Executed SQL Command | ||||
Exfiltrated File - Did What | To any destination | What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
MIP Label of the file? | Any label or no label | Original file label | ||
To website/web application by upload | To which Website/Web application | Any Website/Web application |
Website name Website URL Website window title Website category |
|
Which file origin | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
Which file | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
Any label or no label | Any label or no label | Any label or no label | ||
To cloud storage sync folder | To which cloud storage sync folder? | Any sync folder | Vendor name | |
What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
MIP Label of the file? | Any label or no label | Original file label | ||
To USB device | By | Any method |
Copy/move to USB Downloading directly to USB |
|
To | Any USB |
Unlisted US White listed USB USB whose mode USB whose label USB whose S/N |
||
What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
MIP Label of the file? | Any label or no label |
Original file label Exfiltrated file label |
||
By attaching it to an email client | What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
|
Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
MIP Label of the file? | Any label | Original file label | ||
By sending it via email | To | Any recipients |
All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist |
|
Sender address | Any address | Sender address | ||
Email subject | Any subject | Email subject | ||
What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
MIP Label of the file? | Any label | Original file label | ||
Logged In | ||||
Pasted - Did What | Any type | |||
Text | ||||
Files/Folders | ||||
Image | ||||
Ran Application - Did What | Application name | |||
Application full path | ||||
Process name | ||||
Window title | ||||
Permission level | ||||
Used Keyboard (Keylogging) Did What | Typed text | |||
Pressed special/combination keys | ||||
Visited URL - Did What | Site | |||
URL prefix | ||||
Any part of URL | ||||
Website category | ||||
Website category (detailed) |