"Did What?" Conditions Summary

This table summarizes the Did What conditions.

For details, see Defining the "Did What?" Conditions.

Condition Options Options Default Options
Brought in a File - Did What By downloading from website/web application From Which Website/Web application? Any website/web application

Website name

Website URL

Website wiindow title

Website category

Which file? Any file Original file name
MIP Label of the file? Any label or no label Original file label
By saving attachment from email client Which file? Any file

Original file name

File size (in KBs)

Destination? Any destination

Destination path

The destination is a USB

The destination is a sync folder

MIP Label of the file? Any label or no label Original file label
By taking a file from cloud storage sync folder From which cloud storage sync folder? Any supported sync folder Vendor name
Which file? Any file Original file name
MIP Label of the file? Any label or no label Original file label
Copied Text Did What Text Content      
Detect Connected USB - Did What To which USB      
USB model      
USB vendor      
USB label      
USB S/N      
USB ID      
 Email - Did What  Sent email using an email client To Any recipients

All recipients are with trusted domains

At least one recipient address

Number of recipients

BCC recipients exist

Sender address Any address Sender address
Email subject Any subject Email subject
Attachments Any

Email includes attachments

Email attachments total size (in KBs)

At least one attachment name

Number of attachments

Exfiltrated file by sending it via email To Any recipients

All recipients are with trusted domains

At least one recipient address

Number of recipients

BCC recipients exist

Sender address Any address Sender address
Email subject Any subject Email subject
What file origin Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file Any file

Exfiltrated file name

File size (in KBs)

MIP Label of the file? Any label or no label Original file label
Exfiltrated file by attaching it to an email client What file origin? Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file? Any file

Exfiltrated file name

File size (in KBs)

MIP Label of the file? Any label or no label Original file label
Saved file from an email client Which file? Any file

Original file name

File size (in KBs)

Destination Any destination

Destination path

The destination is a USB

The destination is a sync folde

MIP Label of the file? Any label or no label Original file label
Executed SQL Command        
Exfiltrated File - Did What To any destination What file origin? Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file? Any file

Exfiltrated filename

Exfiltrated file path

Original filename

File size (in KBs)

MIP Label of the file? Any label or no label Original file label
To website/web application by upload To which Website/Web application Any Website/Web application

Website name

Website URL

Website window title

Website category

Which file origin Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file Any file

Exfiltrated filename

Exfiltrated file path

Original filename

File size (in KBs)

Any label or no label Any label or no label Any label or no label
To cloud storage sync folder To which cloud storage sync folder? Any sync folder Vendor name
What file origin? Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file? Any file

Exfiltrated filename

Exfiltrated file path

Original filename

File size (in KBs)

MIP Label of the file? Any label or no label Original file label
To USB device By Any method

Copy/move to USB

Downloading directly to USB

To Any USB

Unlisted US

White listed USB
USB whose vendor

USB whose mode

USB whose label

USB whose S/N

USB whose ID

What file origin? Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file? Any file

Exfiltrated filename

Exfiltrated file path

Original filename

File size (in KBs)

MIP Label of the file? Any label or no label

Original file label

Exfiltrated file label

By attaching it to an email client What file origin? Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file? Any file

Exfiltrated filename

Exfiltrated file path

Original filename

File size (in KBs)

MIP Label of the file? Any label Original file label
By sending it via email To Any recipients

All recipients are with trusted domains

At least one recipient address

Number of recipients

BCC recipients exist

Sender address Any address Sender address
Email subject Any subject Email subject
What file origin? Any origin

Downloaded/Exported from Web

Saved from an email client

Taken from cloud storage sync folder

Which file? Any file

Exfiltrated filename

Exfiltrated file path

Original filename

File size (in KBs)

MIP Label of the file? Any label Original file label
Logged In        
Pasted - Did What Any type      
Text      
Files/Folders      
Image      
Ran Application - Did What Application name      
Application full path      
Process name      
Window title      
Permission level      
Used Keyboard (Keylogging) Did What Typed text      
Pressed special/combination keys      
Visited URL - Did What Site      
URL prefix      
Any part of URL      
Website category      
Website category (detailed)