Skip to main content
Skip table of contents


The software or hardware device version described in either the process, object, or entity.

Data Type




Client Console Full Name


Client Console Short Name


Web Console Tab/Name


Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Varies by protocol (most commonly ProtocolVersion)

Field Relationships

  • Object (version describes object)
  • Process (version describes process)
  • Entity
  • Host Fields
  • User Agent (previously version was abused to contain user agent)

Common Applications

  • Vulnerability scanners
  • Virus scanners
  • Asset inventory

Use Case

If multiple versions are contained in log, the priority is to capture the version of the object of the log, not the version of the product creating the log.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

Prioritize the version of an end object over the version of a product generating the log.


Correct Examples

  • Cb Response

05 13 2016 19:56:26 <USER:NOTE> LEEF:1.0|CB|CB|5.1||cb_server=cbserver cb_version=211 company_name=RecordFlow Technology Ltd. copied_mod_len=1022272 digsig_result=Unsigned digsig_result_code=2148204222 endpoint= USABLDRRECFLOW01|2 file_desc=SysAid  Agent file_version= group=RecordFlow HQ host_count=1 internal_name=AgentStuffManager.dll is_64bit=true is_executable_image=false last_seen=2016-05-14T02:49:18.142Z legal_copyright=© Copyright 2013 RecordFlow Technologies Ltd. md5=59E0D058686BD35B0D5C02A4FD8BD0E0observed_filename=c:\\program files\\sysaid\\agentstuffsmanager.dll orig_mod_len=1022976 original_filename=AgentstuffManager.dll os_type=Windows product_name=SysAid  Agent product_version= server_added_timestamp=2016-05-14T02:49:18.142Z server_name=localhost.localdomain timestamp=1463194218.586 watchlist_4=2016-05-14T02:50:03.177584Z watchlist_id=4 watchlist_name=Newly Loaded Modules

File version parses into Version. Cb_version is not parsed because the device sending the log is not very useful.

  • Windows Event Log

10/23/2007 10:07 AM TYPE= USER= Safaware\ COMP= USABLDRRECFLOW01 SORC=BPService CATG=Authentication\Interactive EVID=1000 MESG=Biometric authentication was performed.    Username: Domain: Safaware Workstation: Safaware \ USABLDRRECFLOW01Security score: 75  Threshold: 30  Enrollment client: BPDave  Authentication client: BPDave  Client version: 3.0  AuthTag: 222222-dff3-4a70-b1940157ab9d2d22  Effective settings from:  Keyboard:

Client Version parses into Version. This could be useful for software auditing.

  • CylanceProtect

Cylance08 24 2016 07:11:50 <SLOG:WARN> 1 2016-08-24T12:11:30.2394853Z sysloghost CylancePROTECT - - - Event Type: Device, Event Name: SystemSecurity, Device Name: USABLDRRECFLOW01, Agent Version: 1.2.1370.119, IP Address: (), MAC Address: (), Logged On Users: (Safaware\, OS: Microsoft Windows 7 Enterprise Service Pack 1 x64 6.1.7601

Cylance Agent version parses into Version. This could be used for ensuring all agents are up to date.

Incorrect Examples

  • Windows Event Log

4/3/2007 10:50 AM TYPE=FailureAudit USER=User1 COMP=Host1 SORC=Security CATG=Detailed Tracking EVID=861 MESG=The Windows Firewall has detected an application listening for incoming traffic.    Name: -  Path: D:\stuff\jboss-3.2.3\bin\JavaSHost3  Process identifier: 5668  User account: SYSTEM  User domain: NT AUTHORITY  Service: Yes  RPC server: No  IP version: IPv4  IP protocol: TCP  Port number: 4087  Allowed: No  User notified: No

IP Version is not the kind of version needed.

  • Windows Event Log

<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0322g22d}'/><EventID>6272</EventID><Version>1</Version><Level>Information</Level><Task>Network Policy Server</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2010-06-01T21:40:38.228246300Z'/><EventRecordID>26101649</EventRecordID><Correlation/><Execution ProcessID='452' ThreadID='1500'/><Channel>Security</Channel><Computer>Host1</Computer><Security/></System><EventData>Network Policy Server granted access to a user.    User:   Security ID:   Safaware\   Account Name:   Account Domain:   UNR   Fully Qualified Account Name: UNR\rhickok    Client Machine:   Security ID:   NULL SID   Account Name:   -   Fully Qualified Account Name: -   OS-Version:   -   Called Station Identifier:  000B8222222   Calling Station Identifier:  00000000000    NAS:   NAS IPv4 Address:   NAS IPv6 Address:  -   NAS Identifier:   -   NAS Port-Type:   Wireless - IEEE 802.11   NAS Port:   0    RADIUS Client:   Client Friendly Name:  Aruba Controller 1   Client IP Address:    Authentication Details:   Connection Request Policy Name: Use Windows authentication for all users   Network Policy Name:  RCF WPA   Authentication Provider:  Windows   Authentication Server:  Host1   Authentication Type:  MS-CHAPv2   EAP Type:   -   Account Session Identifier:  -   Logging Results:   Accounting information was written to the local log file.    Quarantine Information:   Result:    Full Access   Session Identifier:   -  </EventData></Event>

OS-Version, if populated, would be more appropriate to parse.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.