uberAgent

Common Event Properties

The following event properties can be used with all types of events in uAQL queries.

Property name uAQL Data Type Description Platform
Process.Id String The process’ id (e.g., 148) all
Parent.Id String The process’ parent’s id (e.g., 4) all
Process.Name String The process’ image file name (e.g., Winword.exe) all
Parent.Name String The process’ parent’s image file name (e.g., Winword.exe) all
Process.User.Sid String The process’ user SID Win
Process.User String The process’ user name in the format domain\account all
Parent.User.Sid String The process’ parent’s user SID Win
Parent.User String The process’ parent’s user name. Format on Windows: domain\account all
Process.Path String The process’ full path including the image file name all
Parent.Path String The process’ parent’s full path including the image file name all
Process.CommandLine String The process’ command line all
Parent.CommandLine String The process’ parent’s command line all
Process.AppName String The process’ application name (e.g., Microsoft Office) all
Parent.AppName String The process’ parent’s application name (e.g., Microsoft Office) all
Process.AppVersion String The process’ application version all
Parent.AppVersion String The process’ parent’s application version all
Process.Company String The process’ company (as stored in the PE image resources) Win
Parent.Company String The process’ parent’s company (as stored in the PE image resources) Win
Process.IsElevated Boolean Is the process elevated? all
Parent.IsElevated Boolean Is the parent process elevated? all
Process.IsProtected Boolean Is the process protected? Win
Parent.IsProtected Boolean Is the parent process protected? Win
Process.SessionId Integer The process’ session ID all
Parent.SessionId Integer The process’ parent’s session ID all
Process.DirectorySdSddl String The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details). Win
Process.DirectoryUserWriteable Boolean Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0. Win
Process.Hash.MD5 String MD5 hash of the process executable Win
Process.Hash.SHA1 String SHA1 hash of the process executable Win
Process.Hash.SHA256 String SHA256 hash of the process executable Win
Process.Hash.IMP String Import-table hash of the process executable Win
Process.Hashes String All enabled hashes for process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C Win
Parent.Hash.MD5 String MD5 hash of the parent process executable Win
Parent.Hash.SHA1 String SHA1 hash of the parent process executable Win
Parent.Hash.SHA256 String SHA256 hash of the parent process executable Win
Parent.Hash.IMP String Import-table hash of the parent process executable Win
Parent.Hashes String All enabled hashes for parent process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C Win
Process.IsSigned Boolean Is the process signed? This evaluates to true even if the certificate was revoked or is expired. Win
Process.IsSignedByOSVendor Boolean Is the process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. all
Process.Signature String The signer name. Win
Process.SignatureStatus String Evaluates to Valid for a valid certificate and, under Windows, Invalid for an invalid certificate. Furthermore, it evaluates to SelfSigned under macOS if the binary is ad-hoc signed. It is empty if the process is not signed. all
Process.SigningId String The unique identifier associated with the developer’s certificate used for signing the bundle or binary. macOS
Process.TeamId String A unique identifier assigned by Apple to a specific development team. macOS
Process.CdHash String The process’s code directory hash. macOS
Parent.IsSigned Boolean Is the parent process signed? This evaluates to true even if the certificate was revoked or is expired. Win
Parent.IsSignedByOSVendor Boolean Is the parent process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. all
Parent.Signature String The signer name. Win
Parent.SignatureStatus String Evaluates to Valid for a valid certificate and, under Windows, Invalid for an invalid certificate. Furthermore, it evaluates to SelfSigned under macOS if the binary is ad-hoc signed. It is empty if the parent process is not signed. all
Parent.SigningId String The parent process’s unique identifier associated with the developer’s certificate used for signing the bundle or binary. macOS
Parent.TeamId String The parent process’s unique identifier assigned by Apple to a specific development team. macOS
Parent.CdHash String The parent process’s code directory hash. macOS

Note for macOS As all binaries for macOS on Apple Silicon are signed, Process.IsSigned and Parent.IsSigned are always true. To reflect if a binary is ad-hoc signed (i.e. there is no valid certificate included) Process.SignatureStatus, respectively Parent.SignatureStatus, are set to SelfSigned. If the binary is not ad-hoc signed those fields are set to valid. If the binary is not signed at all (e.g. because it is an Intel binary running under Rosetta 2) those fields are empty.

In case a process is already running before uberAgent is started, the following fields might be unavailable:

  • *.CdHash
  • *.IsSigned
  • *.IsSignedByOSVendor
  • *.SignatureStatus
  • *.SigningId
  • *.TeamId

As soon as the affected process calls fork or exec the values are available.

Common Event Properties

In this article