Documentation

Contents
Contents
Contents
Contents

Common Event Properties

The following event properties can be used with all types of events in uAQL queries.

Property name uAQL Data Type Description
Process.Name String The process’ image file name (e.g., Winword.exe)
Parent.Name String The process’ parent’s image file name (e.g., Winword.exe)
Process.User String The process’ user name in the format domain\account
Parent.User String The process’ parent’s user name in the format domain\account
Process.Path String The process’ full path including the image file name
Parent.Path String The process’ parent’s full path including the image file name
Process.CommandLine String The process’ command line
Parent.CommandLine String The process’ parent’s command line
Process.AppName String The process’ application name (e.g., Microsoft Office)
Parent.AppName String The process’ parent’s application name (e.g., Microsoft Office)
Process.AppVersion String The process’ application version
Parent.AppVersion String The process’ parent’s application version
Process.Company String The process’ company (as stored in the PE image resources)
Parent.Company String The process’ parent’s company (as stored in the PE image resources)
Process.IsElevated Boolean Is the process elevated?
Parent.IsElevated Boolean Is the parent process elevated?
Process.IsProtected Boolean Is the process protected?
Parent.IsProtected Boolean Is the parent process protected?
Process.SessionId Integer The process’ session ID
Parent.SessionId Integer The process’ parent’s session ID
Process.DirectorySdSddl String The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).
Process.DirectoryUserWriteable Boolean Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0.
Process.Hash.MD5 String MD5 hash of the process executable
Process.Hash.SHA1 String SHA1 hash of the process executable
Process.Hash.SHA256 String SHA256 hash of the process executable
Process.Hash.IMP String Import-table hash of the process executable
Parent.Hash.MD5 String MD5 hash of the parent process executable
Parent.Hash.SHA1 String SHA1 hash of the parent process executable
Parent.Hash.SHA256 String SHA256 hash of the parent process executable
Parent.Hash.IMP String Import-table hash of the parent process executable
Image.Hash.MD5 String MD5 hash of the image
Image.Hash.SHA1 String SHA1 hash of the image
Image.Hash.SHA256 String SHA256 hash of the image
Image.Hash.IMP String Import-table hash of the image

Leave a Reply

Your email address will not be published. Required fields are marked *