Common Event Properties
The following event properties can be used with all types of events in uAQL queries.
| Property name | uAQL Data Type | Description |
|---|---|---|
Process.Id |
String | The process’ id (e.g., 148) |
Parent.Id |
String | The process’ parent’s id (e.g., 4) |
Process.Name |
String | The process’ image file name (e.g., Winword.exe) |
Parent.Name |
String | The process’ parent’s image file name (e.g., Winword.exe) |
Process.User |
String | The process’ user name in the format domain\account |
Parent.User |
String | The process’ parent’s user name in the format domain\account |
Process.Path |
String | The process’ full path including the image file name |
Parent.Path |
String | The process’ parent’s full path including the image file name |
Process.CommandLine |
String | The process’ command line |
Parent.CommandLine |
String | The process’ parent’s command line |
Process.AppName |
String | The process’ application name (e.g., Microsoft Office) |
Parent.AppName |
String | The process’ parent’s application name (e.g., Microsoft Office) |
Process.AppVersion |
String | The process’ application version |
Parent.AppVersion |
String | The process’ parent’s application version |
Process.Company |
String | The process’ company (as stored in the PE image resources) |
Parent.Company |
String | The process’ parent’s company (as stored in the PE image resources) |
Process.IsElevated |
Boolean | Is the process elevated? |
Parent.IsElevated |
Boolean | Is the parent process elevated? |
Process.IsProtected |
Boolean | Is the process protected? |
Parent.IsProtected |
Boolean | Is the parent process protected? |
Process.SessionId |
Integer | The process’ session ID |
Parent.SessionId |
Integer | The process’ parent’s session ID |
Process.DirectorySdSddl |
String | The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details). |
Process.DirectoryUserWriteable |
Boolean | Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0. |
Process.Hash.MD5 |
String | MD5 hash of the process executable |
Process.Hash.SHA1 |
String | SHA1 hash of the process executable |
Process.Hash.SHA256 |
String | SHA256 hash of the process executable |
Process.Hash.IMP |
String | Import-table hash of the process executable |
Process.Hashes |
String | All enabled hashes for process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
Parent.Hash.MD5 |
String | MD5 hash of the parent process executable |
Parent.Hash.SHA1 |
String | SHA1 hash of the parent process executable |
Parent.Hash.SHA256 |
String | SHA256 hash of the parent process executable |
Parent.Hash.IMP |
String | Import-table hash of the parent process executable |
Parent.Hashes |
String | All enabled hashes for parent process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
Process.IsSigned |
Boolean | Is the process signed? This evaluates to true even if the certificate was revoked or is expired. |
Process.IsSignedByOSVendor |
Boolean | Is the process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
Process.Signature |
String | The signer name. |
Process.SignatureStatus |
String | Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the process is not signed. |
Parent.IsSigned |
Boolean | Is the parent process signed? This evaluates to true even if the certificate was revoked or is expired. |
Parent.IsSignedByOSVendor |
Boolean | Is the parent process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
Parent.Signature |
String | The signer name. |
Parent.SignatureStatus |
String | Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the parent process is not signed. |