This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Common Event Properties
The following event properties can be used with all types of events in uAQL queries.
Property name | uAQL Data Type | Description |
---|---|---|
Process.Name |
String | The process’ image file name (e.g., Winword.exe ) |
Parent.Name |
String | The process’ parent’s image file name (e.g., Winword.exe ) |
Process.User |
String | The process’ user name in the format domain\account |
Parent.User |
String | The process’ parent’s user name in the format domain\account |
Process.Path |
String | The process’ full path including the image file name |
Parent.Path |
String | The process’ parent’s full path including the image file name |
Process.CommandLine |
String | The process’ command line |
Parent.CommandLine |
String | The process’ parent’s command line |
Process.AppName |
String | The process’ application name (e.g., Microsoft Office ) |
Parent.AppName |
String | The process’ parent’s application name (e.g., Microsoft Office ) |
Process.AppVersion |
String | The process’ application version |
Parent.AppVersion |
String | The process’ parent’s application version |
Process.Company |
String | The process’ company (as stored in the PE image resources) |
Parent.Company |
String | The process’ parent’s company (as stored in the PE image resources) |
Process.IsElevated |
Boolean | Is the process elevated? |
Parent.IsElevated |
Boolean | Is the parent process elevated? |
Process.IsProtected |
Boolean | Is the process protected? |
Parent.IsProtected |
Boolean | Is the parent process protected? |
Process.SessionId |
Integer | The process’ session ID |
Parent.SessionId |
Integer | The process’ parent’s session ID |
Process.DirectorySdSddl |
String | The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD] . SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details). |
Process.DirectoryUserWriteable |
Boolean | Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0. |
Process.Hash |
String | The calculated hash of the process (details) |
Parent.Hash |
String | The calculated hash of the parent process (details) |