Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,194 questions
Odd Sysmon Version numbers question, have you seen this before?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 84%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AW
0
Reputation points
Hey Everyone,
I've got a weird one to ask about today. We have Sysmon feeding into our SIEM, and when looking at the file version information the SIEM receives, we see some differing results that we are confused about. Some of the results for the "Version" field are:
• 5
• 3
• 2
• 4
• 15.15
The only number in the list that seems to be an actual version is 15.15, as the others are definitely not versions that are active on the machines.
Some devices will show as having Version 3 and 15 at the same time, and then only Version 5 if we check on it a few days later. It doesn’t seem to make much sense.
We have theorized this could potentially be the revision number of the file or the version of Sysmon the respective log was introduced in, but looking online, we didn’t find any evidence to support that idea.
We also theorized it could be the schema version but did not find evidence to support that either.
One of the devices we got a hold of was showing as "Version" 5 in the SIEM, but running the command to check the version locally shows the proper version number (which is not 5).
Does anyone have any idea what the reasoning for this sort of thing might be? Or what info the "Version" field is pulling in? Has anyone else experienced this or something similar?
Sysinternals
Sign in to answer