This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Common Event Properties
The following event properties can be used with all types of events in uAQL queries.
| Property name | uAQL Data Type | Description | Platform |
|---|---|---|---|
Process.Id |
String | The process’ id (e.g., 148) |
all |
Parent.Id |
String | The process’ parent’s id (e.g., 4) |
all |
Process.Name |
String | The process’ image file name (e.g., Winword.exe) |
all |
Parent.Name |
String | The process’ parent’s image file name (e.g., Winword.exe) |
all |
Process.User.Sid |
String | The process’ user SID | Win |
Process.User |
String | The process’ user name in the format domain\account
|
all |
Parent.User.Sid |
String | The process’ parent’s user SID | Win |
Parent.User |
String | The process’ parent’s user name. Format on Windows: domain\account
|
all |
Process.Path |
String | The process’ full path including the image file name | all |
Parent.Path |
String | The process’ parent’s full path including the image file name | all |
Process.CommandLine |
String | The process’ command line | all |
Parent.CommandLine |
String | The process’ parent’s command line | all |
Process.AppName |
String | The process’ application name (e.g., Microsoft Office) |
all |
Parent.AppName |
String | The process’ parent’s application name (e.g., Microsoft Office) |
all |
Process.AppVersion |
String | The process’ application version | all |
Parent.AppVersion |
String | The process’ parent’s application version | all |
Process.Company |
String | The process’ company (as stored in the PE image resources) | Win |
Parent.Company |
String | The process’ parent’s company (as stored in the PE image resources) | Win |
Process.IsElevated |
Boolean | Is the process elevated? | all |
Parent.IsElevated |
Boolean | Is the parent process elevated? | all |
Process.IsProtected |
Boolean | Is the process protected? | Win |
Parent.IsProtected |
Boolean | Is the parent process protected? | Win |
Process.SessionId |
Integer | The process’ session ID | all |
Parent.SessionId |
Integer | The process’ parent’s session ID | all |
Process.DirectorySdSddl |
String | The security descriptor (SD) of the process’ directory. The SD is converted to the security descriptor string format (SDDL) for the match. NULL SDs, which grant full access to everyone, are represented as [UA_NULL_SD]. SIDs in the SD are looked up and replaced with names. Hex access masks are replaced with their string representations in SetACL’s format (details). |
Win |
Process.DirectoryUserWriteable |
Boolean | Is the process’ directory writeable by the user that is logged on the session the process is started in? Ignores processes in session 0. | Win |
Process.Hash.MD5 |
String | MD5 hash of the process executable | Win |
Process.Hash.SHA1 |
String | SHA1 hash of the process executable | Win |
Process.Hash.SHA256 |
String | SHA256 hash of the process executable | Win |
Process.Hash.IMP |
String | Import-table hash of the process executable | Win |
Process.Hashes |
String | All enabled hashes for process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
|
Win |
Parent.Hash.MD5 |
String | MD5 hash of the parent process executable | Win |
Parent.Hash.SHA1 |
String | SHA1 hash of the parent process executable | Win |
Parent.Hash.SHA256 |
String | SHA256 hash of the parent process executable | Win |
Parent.Hash.IMP |
String | Import-table hash of the parent process executable | Win |
Parent.Hashes |
String | All enabled hashes for parent process are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
|
Win |
Process.IsSigned |
Boolean | Is the process signed? This evaluates to true even if the certificate was revoked or is expired. |
Win |
Process.IsSignedByOSVendor |
Boolean | Is the process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
all |
Process.Signature |
String | The signer name. | Win |
Process.SignatureStatus |
String | Evaluates to Valid for a valid certificate and, under Windows, Invalid for an invalid certificate. Furthermore, it evaluates to SelfSigned under macOS if the binary is ad-hoc signed. It is empty if the process is not signed. |
all |
Process.SigningId |
String | The unique identifier associated with the developer’s certificate used for signing the bundle or binary. | macOS |
Process.TeamId |
String | A unique identifier assigned by Apple to a specific development team. | macOS |
Process.CdHash |
String | The process’s code directory hash. | macOS |
Parent.IsSigned |
Boolean | Is the parent process signed? This evaluates to true even if the certificate was revoked or is expired. |
Win |
Parent.IsSignedByOSVendor |
Boolean | Is the parent process signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired. |
all |
Parent.Signature |
String | The signer name. | Win |
Parent.SignatureStatus |
String | Evaluates to Valid for a valid certificate and, under Windows, Invalid for an invalid certificate. Furthermore, it evaluates to SelfSigned under macOS if the binary is ad-hoc signed. It is empty if the parent process is not signed. |
all |
Parent.SigningId |
String | The parent process’s unique identifier associated with the developer’s certificate used for signing the bundle or binary. | macOS |
Parent.TeamId |
String | The parent process’s unique identifier assigned by Apple to a specific development team. | macOS |
Parent.CdHash |
String | The parent process’s code directory hash. | macOS |
Note for macOS
As all binaries for macOS on Apple Silicon are signed, Process.IsSigned and Parent.IsSigned are always true. To reflect if a binary is ad-hoc signed (i.e. there is no valid certificate included) Process.SignatureStatus, respectively Parent.SignatureStatus, are set to SelfSigned. If the binary is not ad-hoc signed those fields are set to valid. If the binary is not signed at all (e.g. because it is an Intel binary running under Rosetta 2) those fields are empty.
In case a process is already running before uberAgent is started, the following fields might be unavailable:
*.CdHash*.IsSigned*.IsSignedByOSVendor*.SignatureStatus*.SigningId*.TeamId
As soon as the affected process calls fork or exec the values are available.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.