The following event properties can be used with all types of events in uAQL queries.
Property name
uAQL Data Type
Description
Process.Name
String
The process’ image file name (e.g., Winword.exe)
Parent.Name
String
The process’ parent’s image file name (e.g., Winword.exe)
Process.User
String
The process’ user name in the format domain\account
Parent.User
String
The process’ parent’s user name in the format domain\account
Process.Path
String
The process’ full path including the image file name
Parent.Path
String
The process’ parent’s full path including the image file name
Process.CommandLine
String
The process’ command line
Parent.CommandLine
String
The process’ parent’s command line
Process.AppName
String
The process’ application name (e.g., Microsoft Office)
Parent.AppName
String
The process’ parent’s application name (e.g., Microsoft Office)
Process.AppVersion
String
The process’ application version
Parent.AppVersion
String
The process’ parent’s application version
Process.Company
String
The process’ company (as stored in the PE image resources)
Parent.Company
String
The process’ parent’s company (as stored in the PE image resources)
Process.IsElevated
Boolean
Is the process elevated?
Parent.IsElevated
Boolean
Is the parent process elevated?
Process.IsProtected
Boolean
Is the process protected?
Parent.IsProtected
Boolean
Is the parent process protected?
Process.SessionId
Integer
The process’ session ID
Parent.SessionId
Integer
The process’ parent’s session ID
Process.DirectorySdSddl
String
The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).
Process.DirectoryUserWriteable
Boolean
Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0.
Common Event Properties
The following event properties can be used with all types of events in uAQL queries.
Process.NameWinword.exe)Parent.NameWinword.exe)Process.Userdomain\accountParent.Userdomain\accountProcess.PathParent.PathProcess.CommandLineParent.CommandLineProcess.AppNameMicrosoft Office)Parent.AppNameMicrosoft Office)Process.AppVersionParent.AppVersionProcess.CompanyParent.CompanyProcess.IsElevatedParent.IsElevatedProcess.IsProtectedParent.IsProtectedProcess.SessionIdParent.SessionIdProcess.DirectorySdSddl[UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).Process.DirectoryUserWriteableProcess.HashParent.Hash