Hi community, I am looking for best practices (and example detections) to monitor application version drift…..What i needed ? Alert when devices are not on the expected/current version after a rollout. Alert when a device rolls back to a lower version (intentional or suspicious)as Questions Flag “version != expected_version” Flag “version < expected_version” (rollback) I want to be able to alert when devices are not on the expected or current version after a rollout, and also when a device rolls back to a lower version, whether intentional or suspicious. What is the recommended detection pattern to flag version != expected_version and to flag version < expected_version for rollback? Are there any gotchas with handling semantic versions, for example comparing 1.10.3 with 1.9.12?

Question

Detecting Application Version changes: Handling Updates to the Current (Expected) Version and Rollbacks to Lower Versions

Forum|Forum|3 months ago
August 22, 2025
2 replies
52 views

+3

havox
New Member

Hi community,

I am looking for best practices (and example detections) to monitor application version drift…..

What i needed ?

Alert when devices are not on the expected/current version after a rollout.
Alert when a device rolls back to a lower version (intentional or suspicious)as

Questions

Flag “version != expected_version”
Flag “version < expected_version” (rollback)

I want to be able to alert when devices are not on the expected or current version after a rollout, and also when a device rolls back to a lower version, whether intentional or suspicious. What is the recommended detection pattern to flag version != expected_version and to flag version < expected_version for rollback? Are there any gotchas with handling semantic versions, for example comparing 1.10.3 with 1.9.12?

+3

havox
Author
New Member
Forum|Forum|3 months ago
August 25, 2025

@jstoner A small correction on my question: when an operation is performed (such as delete), I also need to capture the version outcome at that point, for example in an application like NPA.

Like

+22

jstoner
Staff
Forum|Forum|3 months ago
August 25, 2025

A couple of things that immediately jump to mind on this. The < > signs won’t work on strings which is what you have with those versions. You could potentially break your versions out to being three different values that you could compare all three as numbers (haven’t played with this yet, so mainly brainstorming). The inequality will work, so you could keep that.

This is a quick/dirty example of what that might look like. Once you have those captures, you could perform calculations.

metadata.event_type = "PROCESS_LAUNCH"
additional.fields["EngineVersion"] = "5.1.19041.1682"
cast.as_int(re.capture(additional.fields["EngineVersion"], `^(\d+)\.\d+\.\d+\.\d+$`)) = $v1
cast.as_int(re.capture(additional.fields["EngineVersion"], `^\d+\.(\d+)\.\d+\.\d+$`)) = $v2
cast.as_int(re.capture(additional.fields["EngineVersion"], `^\d+\.\d+\.(\d+)\.\d+$`)) = $v3
cast.as_int(re.capture(additional.fields["EngineVersion"], `^\d+\.\d+\.\d+\.(\d+)$`)) = $v4

outcome:
    $a = $v1
    $b = $v2
    $c = $v3
    $d = $v4

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded