The following event properties can be used with all types of events in uAQL queries.
Property name
uAQL Data Type
Description
Process.Name
String
The process’ image file name (e.g., Winword.exe)
Parent.Name
String
The process’ parent’s image file name (e.g., Winword.exe)
Process.User
String
The process’ user name in the format domain\account
Parent.User
String
The process’ parent’s user name in the format domain\account
Process.Path
String
The process’ full path including the image file name
Parent.Path
String
The process’ parent’s full path including the image file name
Process.CommandLine
String
The process’ command line
Parent.CommandLine
String
The process’ parent’s command line
Process.App.Name
String
The process’ application name (e.g., Microsoft Office)
Parent.App.Name
String
The process’ parent’s application name (e.g., Microsoft Office)
Process.App.Version
String
The process’ application version
Parent.App.Version
String
The process’ parent’s application version
Process.Company
String
The process’ company (as stored in the PE image resources)
Parent.Company
String
The process’ parent’s company (as stored in the PE image resources)
Process.IsElevated
Boolean
Is the process elevated?
Parent.IsElevated
Boolean
Is the parent process elevated?
Process.IsProtected
Boolean
Is the process protected?
Parent.IsProtected
Boolean
Is the parent process protected?
Process.Session.Id
Integer
The process’ session ID
Parent.Session.Id
Integer
The process’ parent’s session ID
Process.Directory.SdSddl
String
The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).
Process.Directory.UserWriteable
Boolean
Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0.
Process.Hash.Type
Integer
The type of the hash. 1 = MD5, 2 = SHA-1, 3 = SHA-256, 4 = ImpHash (details)
Common Event Properties
The following event properties can be used with all types of events in uAQL queries.
Process.NameWinword.exe)Parent.NameWinword.exe)Process.Userdomain\accountParent.Userdomain\accountProcess.PathParent.PathProcess.CommandLineParent.CommandLineProcess.App.NameMicrosoft Office)Parent.App.NameMicrosoft Office)Process.App.VersionParent.App.VersionProcess.CompanyParent.CompanyProcess.IsElevatedParent.IsElevatedProcess.IsProtectedParent.IsProtectedProcess.Session.IdParent.Session.IdProcess.Directory.SdSddl[UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).Process.Directory.UserWriteableProcess.Hash.TypeProcess.Hash.Value