"Did What?" Conditions Summary

This table summarizes the Did What conditions.

For details, see Defining the "Did What?" Conditions.

Condition	Options	Options	Default	Options
Brought in a File - Did What	By downloading from website/web application	From Which Website/Web application?	Any website/web application	Website name Website URL Website wiindow title Website category
		Which file?	Any file	Original file name
		MIP Label of the file?	Any label or no label	Original file label
	By saving attachment from email client	Which file?	Any file	Original file name File size (in KBs)
		Destination?	Any destination	Destination path The destination is a USB The destination is a sync folder
		MIP Label of the file?	Any label or no label	Original file label
	By taking a file from cloud storage sync folder	From which cloud storage sync folder?	Any supported sync folder	Vendor name
		Which file?	Any file	Original file name
		MIP Label of the file?	Any label or no label	Original file label
Copied Text Did What	Text Content
Detect Connected USB - Did What	To which USB
	USB model
	USB vendor
	USB label
	USB S/N
	USB ID
Email - Did What	Sent email using an email client	To	Any recipients	All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist
		Sender address	Any address	Sender address
		Email subject	Any subject	Email subject
		Attachments	Any	Email includes attachments Email attachments total size (in KBs) At least one attachment name Number of attachments
	Exfiltrated file by sending it via email	To	Any recipients	All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist
		Sender address	Any address	Sender address
		Email subject	Any subject	Email subject
		What file origin	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file	Any file	Exfiltrated file name File size (in KBs)
		MIP Label of the file?	Any label or no label	Original file label
	Exfiltrated file by attaching it to an email client	What file origin?	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file?	Any file	Exfiltrated file name File size (in KBs)
		MIP Label of the file?	Any label or no label	Original file label
	Saved file from an email client	Which file?	Any file	Original file name File size (in KBs)
		Destination	Any destination	Destination path The destination is a USB The destination is a sync folde
		MIP Label of the file?	Any label or no label	Original file label
Executed SQL Command
Exfiltrated File - Did What	To any destination	What file origin?	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file?	Any file	Exfiltrated filename Exfiltrated file path Original filename File size (in KBs)
		MIP Label of the file?	Any label or no label	Original file label
	To website/web application by upload	To which Website/Web application	Any Website/Web application	Website name Website URL Website window title Website category
		Which file origin	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file	Any file	Exfiltrated filename Exfiltrated file path Original filename File size (in KBs)
		Any label or no label	Any label or no label	Any label or no label
	To cloud storage sync folder	To which cloud storage sync folder?	Any sync folder	Vendor name
		What file origin?	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file?	Any file	Exfiltrated filename Exfiltrated file path Original filename File size (in KBs)
		MIP Label of the file?	Any label or no label	Original file label
	To USB device	By	Any method	Copy/move to USB Downloading directly to USB
		To	Any USB	Unlisted US White listed USB USB whose vendor USB whose mode USB whose label USB whose S/N USB whose ID
		What file origin?	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file?	Any file	Exfiltrated filename Exfiltrated file path Original filename File size (in KBs)
		MIP Label of the file?	Any label or no label	Original file label Exfiltrated file label
	By attaching it to an email client	What file origin?	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file?	Any file	Exfiltrated filename Exfiltrated file path Original filename File size (in KBs)
		MIP Label of the file?	Any label	Original file label
	By sending it via email	To	Any recipients	All recipients are with trusted domains At least one recipient address Number of recipients BCC recipients exist
		Sender address	Any address	Sender address
		Email subject	Any subject	Email subject
		What file origin?	Any origin	Downloaded/Exported from Web Saved from an email client Taken from cloud storage sync folder
		Which file?	Any file	Exfiltrated filename Exfiltrated file path Original filename File size (in KBs)
		MIP Label of the file?	Any label	Original file label
Logged In
Pasted - Did What	Any type
	Text
	Files/Folders
	Image
Ran Application - Did What	Application name
	Application full path
	Process name
	Window title
	Permission level
Used Keyboard (Keylogging) Did What	Typed text
Used Keyboard (Keylogging) Did What	Pressed special/combination keys
Visited URL - Did What	Site
	URL prefix
	Any part of URL
	Website category
	Website category (detailed)