"Did What?" Conditions Summary
This table summarizes the Did What conditions.
For details, see Defining the "Did What?" Conditions.
| Condition | Options | Options | Default | Options |
|---|---|---|---|---|
| Brought in a File - Did What | By downloading from website/web application | From Which Website/Web application? | Any website/web application |
Website name Website URL Website wiindow title Website category |
| Which file? | Any file | Original file name | ||
| MIP Label of the file? | Any label or no label | Original file label | ||
| By saving attachment from email client | Which file? | Any file |
Original file name File size (in KBs) |
|
| Destination? | Any destination |
Destination path The destination is a USB The destination is a sync folder |
||
| MIP Label of the file? | Any label or no label | Original file label | ||
| By taking a file from cloud storage sync folder | From which cloud storage sync folder? | Any supported sync folder | Vendor name | |
| Which file? | Any file | Original file name | ||
| MIP Label of the file? | Any label or no label | Original file label | ||
| Copied Text Did What | Text Content | |||
| Detect Connected USB - Did What | To which USB | |||
| USB model | ||||
| USB vendor | ||||
| USB label | ||||
| USB S/N | ||||
| USB ID | ||||
| Email - Did What | Sent email using an email client | To | Any recipients |
All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist |
| Sender address | Any address | Sender address | ||
| Email subject | Any subject | Email subject | ||
| Attachments | Any |
Email includes attachments Email attachments total size (in KBs) At least one attachment name Number of attachments |
||
| Exfiltrated file by sending it via email | To | Any recipients |
All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist |
|
| Sender address | Any address | Sender address | ||
| Email subject | Any subject | Email subject | ||
| What file origin | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
| Which file | Any file |
Exfiltrated file name File size (in KBs) |
||
| MIP Label of the file? | Any label or no label | Original file label | ||
| Exfiltrated file by attaching it to an email client | What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
|
| Which file? | Any file |
Exfiltrated file name File size (in KBs) |
||
| MIP Label of the file? | Any label or no label | Original file label | ||
| Saved file from an email client | Which file? | Any file |
Original file name File size (in KBs) |
|
| Destination | Any destination |
Destination path The destination is a USB The destination is a sync folde |
||
| MIP Label of the file? | Any label or no label | Original file label | ||
| Executed SQL Command | ||||
| Exfiltrated File - Did What | To any destination | What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
| Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
| MIP Label of the file? | Any label or no label | Original file label | ||
| To website/web application by upload | To which Website/Web application | Any Website/Web application |
Website name Website URL Website window title Website category |
|
| Which file origin | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
| Which file | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
| Any label or no label | Any label or no label | Any label or no label | ||
| To cloud storage sync folder | To which cloud storage sync folder? | Any sync folder | Vendor name | |
| What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
| Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
| MIP Label of the file? | Any label or no label | Original file label | ||
| To USB device | By | Any method |
Copy/move to USB Downloading directly to USB |
|
| To | Any USB |
Unlisted US White listed USB USB whose mode USB whose label USB whose S/N USB whose ID |
||
| What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
| Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
| MIP Label of the file? | Any label or no label |
Original file label Exfiltrated file label |
||
| By attaching it to an email client | What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
|
| Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
| MIP Label of the file? | Any label | Original file label | ||
| By sending it via email | To | Any recipients |
All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist |
|
| Sender address | Any address | Sender address | ||
| Email subject | Any subject | Email subject | ||
| What file origin? | Any origin |
Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder |
||
| Which file? | Any file |
Exfiltrated filename Exfiltrated file path Original filename File size (in KBs) |
||
| MIP Label of the file? | Any label | Original file label | ||
| Logged In | ||||
| Pasted - Did What | Any type | |||
| Text | ||||
| Files/Folders | ||||
| Image | ||||
| Ran Application - Did What | Application name | |||
| Application full path | ||||
| Process name | ||||
| Window title | ||||
| Permission level | ||||
| Used Keyboard (Keylogging) Did What | Typed text | |||
| Pressed special/combination keys | ||||
| Visited URL - Did What | Site | |||
| URL prefix | ||||
| Any part of URL | ||||
| Website category | ||||
| Website category (detailed) |