Hello there,
recently i've digged through the available elastic compatibility matrix and cant find any related informations.
We have a policy with about 50 clients. We did not caught all agents to upgrade them to 8.14.0 but i want upgrade Elastic Defend policy wide to provide the upgrade to all updatet agents.
Thanks for providing any clarification!
Best regards
Daniel
There are three components to consider with versioning, Kibana, Elastic Defend integration, and Elastic Agent version. When you add the Elastic Defend integration to an Elastic Agent policy the Elastic Endpoint binary that is installed by the integration on hosts that are being protected will always match the same version as the Agent version.
You can upgrade Kibana without upgrading the Elastic Defend integration but generally we recommend keeping the two on the same major.minor version. The integration contains server side components, upgrading it makes sure you have all the latest Elasticsearch mappings, for instance. But upgrading the Elastic Defend integration won't upgrade/affect what's deployed on the hosts you're protecting, you need to upgrade Elastic Agent for that.
Kibana can run any prior or equal Elastic Agent version, which as a corollary means the answer to your question is yes. Kibana/Elastic Defend integration version 8.14.x will work with Elastic Agent 8.13.x.
I hope that all makes sense.
Ohh okay, thats an interesting point. Thanks for the fast response!
Sorry for reasking somehow - we need to understand this correctly because we are running about 150 Elastic Defend endpoints by now (increasing). So hitting the "Upgrade integration" in the Fleet Policy wont change anything on the Endpoint itself? Only Server- or let say cluster-side components?
Other way around: Only the upgrade of the Elastic Agent (with Elastic Defend as integration) updates actual components on the Endpoint?
Sure, I'm happy to clarify.
So hitting the "Upgrade integration" in the Fleet Policy wont change anything on the Endpoint itself? Only Server- or let say cluster-side components?
I assume you're referring to a button on Management -> Integrations -> Elastic Defend -> Settings? If so, yes. That's just server side components.
Other way around: Only the upgrade of the Elastic Agent (with Elastic Defend as integration) updates actual components on the Endpoint?
Yes, this is correct. Only upgrading Agent in Fleet via the "Upgrade Agent" option will update the Elastic Endpoint binaries on the host (along with Agent).
You can confirm this yourself by verifying the Agent and Endpoint versions on the host (c:\Program Files\Elastic\Agent\elastic-agent.exe version and c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe version). You'll see that even after upgrading the Elastic Defend integration to 8.14.x your hosts will still be running Elastic Agent and Elastic Endpoint version 8.13.x.
The only host side components that would update outside you upgrading Agent are Endpoint's security protection artifacts (analogous to antivirus signatures in other security products). If you don't want them to update automatically you can use Artifact Control to limit that behavior. (If your license tier doesn't include Artifact Control another option is to follow this Air Gapped Environments guide -- if you just use that guide to intentionally "break" these artifact updates rather than rehost them Endpoint will keep running with the artifacts it has, it intentionally won't cause a policy failure). We do generally recommend keeping security artifacts up to date but recognize that's at odds with change controls in some environments.
I assume you're referring to a button on Management -> Integrations -> Elastic Defend -> Settings? If so, yes. That's just server side components.
I referred to "Fleet > Agent policies > "Policy name" > Upgrade (In the row of the Elastic Defend Integration)
You can upgrade Kibana without upgrading the Elastic Defend integration but generally we recommend keeping the two on the same major.minor version.
So let's say we have our cluster at 8.14.2 (Kibana included) and we start to follow updating our Elastic Agents: Having a Fleet Policy where half the Agents is 8.13.4 (some of them are offline) and the other half is 8.14.3 - we should Upgrade the Integration within the Policy in Fleet already to 8.14.3 (Location in previous Quote - "Server-side" as you clarified previously)?
Thanks in advance!
Fleet > Agent policies > "Policy name" > Upgrade won't affect the hosts running Elastic Defend either. That applies new integration assets to the Elastic Agent and its policy on the server but because the Elastic Defend integration only contains server-side assets it won't affect the hosts running Elastic Agent.
This is an important point I should have mentioned earlier. Elastic Defend is a somewhat unique integration. Many other integrations could potentially start doing new behavior on the host after a server side integration update because their integration controls host side behavior. Elastic Defend's behavior is not modified/controlled in that same way. Still, for all integrations updating the package via Fleet > Agent policies > "Policy name" > Upgrade won't update the actual executables running on the hosts you've installed Elastic Agent on.
So let's say we have our cluster at 8.14.2 (Kibana included) and we start to follow updating our Elastic Agents: Having a Fleet Policy where half the Agents is 8.13.4 (some of them are offline) and the other half is 8.14.3 - we should Upgrade the Integration within the Policy in Fleet already to 8.14.3 (Location in previous Quote - "Server-side" as you clarified previously)?
I can't think of a reason doing that is required for Elastic Defend but I also can't think of a reason it would hurt for the reason I mentioned above.
Updating the Kibana-wide integration via Management -> Integrations -> Elastic Defend -> Settings is beneficial because the integration contains things like data mappings. Keeping those up to date makes sure you can search for newly added Elastic Defend data. It sounds like you're already doing that.
Again, I hope my explanations are clear and help.
To keep it short: Thanks for your extensive explanations! 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
