Documentation

Contents
Contents
Contents
Contents

Common Event Properties

The following event properties can be used with all types of events in uAQL queries.

Property name uAQL Data Type Description
Process.Name String The process’ image file name (e.g., Winword.exe)
Parent.Name String The process’ parent’s image file name (e.g., Winword.exe)
Process.User String The process’ user name in the format domain\account
Parent.User String The process’ parent’s user name in the format domain\account
Process.Path String The process’ full path including the image file name
Parent.Path String The process’ parent’s full path including the image file name
Process.CommandLine String The process’ command line
Parent.CommandLine String The process’ parent’s command line
Process.AppName String The process’ application name (e.g., Microsoft Office)
Parent.AppName String The process’ parent’s application name (e.g., Microsoft Office)
Process.AppVersion String The process’ application version
Parent.AppVersion String The process’ parent’s application version
Process.Company String The process’ company (as stored in the PE image resources)
Parent.Company String The process’ parent’s company (as stored in the PE image resources)
Process.IsElevated Boolean Is the process elevated?
Parent.IsElevated Boolean Is the parent process elevated?
Process.IsProtected Boolean Is the process protected?
Parent.IsProtected Boolean Is the parent process protected?
Process.SessionId Integer The process’ session ID
Parent.SessionId Integer The process’ parent’s session ID
Process.DirectorySdSddl String The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).
Process.DirectoryUserWriteable Boolean Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0.
Process.Hash String The calculated hash of the process (details)
Parent.Hash String The calculated hash of the parent process (details)

Leave a Reply

Your email address will not be published. Required fields are marked *