uberAgent

Common Event Properties

The following event properties can be used with all types of events in uAQL queries.

Property name uAQL Data Type Description
Process.Id String The process’ id (e.g., 148)
Parent.Id String The process’ parent’s id (e.g., 4)
Process.Name String The process’ image file name (e.g., Winword.exe)
Parent.Name String The process’ parent’s image file name (e.g., Winword.exe)
Process.User String The process’ user name in the format domain\account
Parent.User String The process’ parent’s user name in the format domain\account
Process.Path String The process’ full path including the image file name
Parent.Path String The process’ parent’s full path including the image file name
Process.CommandLine String The process’ command line
Parent.CommandLine String The process’ parent’s command line
Process.AppName String The process’ application name (e.g., Microsoft Office)
Parent.AppName String The process’ parent’s application name (e.g., Microsoft Office)
Process.AppVersion String The process’ application version
Parent.AppVersion String The process’ parent’s application version
Process.Company String The process’ company (as stored in the PE image resources)
Parent.Company String The process’ parent’s company (as stored in the PE image resources)
Process.IsElevated Boolean Is the process elevated?
Parent.IsElevated Boolean Is the parent process elevated?
Process.IsProtected Boolean Is the process protected?
Parent.IsProtected Boolean Is the parent process protected?
Process.SessionId Integer The process’ session ID
Parent.SessionId Integer The process’ parent’s session ID
Process.DirectorySdSddl String The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details).
Process.DirectoryUserWriteable Boolean Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0.
Process.Hash.MD5 String MD5 hash of the process executable
Process.Hash.SHA1 String SHA1 hash of the process executable
Process.Hash.SHA256 String SHA256 hash of the process executable
Process.Hash.IMP String Import-table hash of the process executable
Process.Hashes String All enabled hashes for process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
Parent.Hash.MD5 String MD5 hash of the parent process executable
Parent.Hash.SHA1 String SHA1 hash of the parent process executable
Parent.Hash.SHA256 String SHA256 hash of the parent process executable
Parent.Hash.IMP String Import-table hash of the parent process executable
Parent.Hashes String All enabled hashes for parent process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
Process.IsSigned Boolean Is the process signed? This evaluates to true even if the certificate was revoked or is expired.
Process.IsSignedByOSVendor Boolean Is the process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired.
Process.Signature String The signer name.
Process.SignatureStatus String Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the process is not signed.
Parent.IsSigned Boolean Is the parent process signed? This evaluates to true even if the certificate was revoked or is expired.
Parent.IsSignedByOSVendor Boolean Is the parent process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired.
Parent.Signature String The signer name.
Parent.SignatureStatus String Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the parent process is not signed.
Common Event Properties

In this article