Common Event Properties
The following event properties can be used with all types of events in uAQL queries.
Note for macOS:
As all binaries for macOS on Apple Silicon are signed, Process.IsSigned and Parent.IsSigned are always true. To reflect if a binary is ad-hoc signed (i.e. there is no valid certificate included) Process.SignatureStatus, respectively Parent.SignatureStatus, are set to “SelfSigned”. If the binary is not ad-hoc signed those fields are set to “Valid”. If the binary is not signed at all (e.g. because it is an Intel binary running under Rosetta 2) those fields will be empty.
| Property name | uAQL Data Type | Description | Platform |
|---|---|---|---|
Process.Id |
String | The process’ id (e.g., 148) |
all |
Parent.Id |
String | The process’ parent’s id (e.g., 4) |
all |
Process.Name |
String | The process’ image file name (e.g., Winword.exe) |
all |
Parent.Name |
String | The process’ parent’s image file name (e.g., Winword.exe) |
all |
Process.User.Sid |
String | The process’ user SID | Win |
Process.User |
String | The process’ user name in the format domain\account |
all |
Parent.User.Sid |
String | The process’ parent’s user SID | Win |
Parent.User |
String | The process’ parent’s user name. Format on Windows: domain\account |
all |
Process.Path |
String | The process’ full path including the image file name | all |
Parent.Path |
String | The process’ parent’s full path including the image file name | all |
Process.CommandLine |
String | The process’ command line | all |
Parent.CommandLine |
String | The process’ parent’s command line | all |
Process.AppName |
String | The process’ application name (e.g., Microsoft Office) |
all |
Parent.AppName |
String | The process’ parent’s application name (e.g., Microsoft Office) |
all |
Process.AppVersion |
String | The process’ application version | all |
Parent.AppVersion |
String | The process’ parent’s application version | all |
Process.Company |
String | The process’ company (as stored in the PE image resources) | Win |
Parent.Company |
String | The process’ parent’s company (as stored in the PE image resources) | Win |
Process.IsElevated |
Boolean | Is the process elevated? | all |
Parent.IsElevated |
Boolean | Is the parent process elevated? | all |
Process.IsProtected |
Boolean | Is the process protected? | Win |
Parent.IsProtected |
Boolean | Is the parent process protected? | Win |
Process.SessionId |
Integer | The process’ session ID | all |
Parent.SessionId |
Integer | The process’ parent’s session ID | all |
Process.DirectorySdSddl |
String | The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details). |
Win |
Process.DirectoryUserWriteable |
Boolean | Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0. | Win |
Process.Hash.MD5 |
String | MD5 hash of the process executable | Win |
Process.Hash.SHA1 |
String | SHA1 hash of the process executable | Win |
Process.Hash.SHA256 |
String | SHA256 hash of the process executable | Win |
Process.Hash.IMP |
String | Import-table hash of the process executable | Win |
Process.Hashes |
String | All enabled hashes for process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
Win |
Parent.Hash.MD5 |
String | MD5 hash of the parent process executable | Win |
Parent.Hash.SHA1 |
String | SHA1 hash of the parent process executable | Win |
Parent.Hash.SHA256 |
String | SHA256 hash of the parent process executable | Win |
Parent.Hash.IMP |
String | Import-table hash of the parent process executable | Win |
Parent.Hashes |
String | All enabled hashes for parent process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
Win |
Process.IsSigned |
Boolean | Is the process signed? This evaluates to true even if the certificate was revoked or is expired. |
Win |
Process.IsSignedByOSVendor |
Boolean | Is the process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
all |
Process.Signature |
String | The signer name. | Win |
Process.SignatureStatus |
String | Evaluates to Valid for a valid certificate and, under Windows, Invalid for an invalid certificate. Furthermore, it evaluates to SelfSigned under macOS if the binary is ad-hoc signed. It is empty if the process is not signed. |
all |
Parent.IsSigned |
Boolean | Is the parent process signed? This evaluates to true even if the certificate was revoked or is expired. |
Win |
Parent.IsSignedByOSVendor |
Boolean | Is the parent process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
all |
Parent.Signature |
String | The signer name. | Win |
Parent.SignatureStatus |
String | Evaluates to Valid for a valid certificate and, under Windows, Invalid for an invalid certificate. Furthermore, it evaluates to SelfSigned under macOS if the binary is ad-hoc signed. It is empty if the parent process is not signed. |
all |