[8.19](backport #50472) x-pack/filebeat/input/entityanalytics/provider/activedirectory: fix device attribute field layout

[mergify]

Proposed commit message

x-pack/filebeat/input/entityanalytics/provider/activedirectory: fix device attribute field layout

The Active Directory provider emitted device (computer) attributes
under activedirectory.user.* instead of activedirectory.device.*,
because collate() hardcoded the "user" wrapping key for all entity
types. This caused the entityanalytics_ad device.yml ingest pipeline
to fail on the dot-expander step since the expected device fields
were absent.

Add a Device field to Entry and thread an entTyp parameter through
GetDetails and collate so that device results are wrapped under
"device" and populate Entry.Device. User results are unchanged.

Fixes #50471

Assisted-By: Cursor

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

• Closes x-pack/filebeat/input/entityanalytics: Active Directory provider emits device attributes under activedirectory.user instead of activedirectory.device #50471

Use cases

Screenshots

Logs

---

This is an automatic backport of pull request #50472 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of 981bba9 has failed:

On branch mergify/bp/8.19/pr-50472
Your branch is up to date with 'origin/8.19'.

You are currently cherry-picking commit 981bba947.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   changelog/fragments/1777850001-fix-ad-device-field-layout.yaml
	modified:   x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
	modified:   x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory_test.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /test : Run the Buildkite pipeline.

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

TL;DR

Buildkite failed in agentbeat: Run pre-commit because the PR branch still contains unresolved Git conflict markers in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go. Remove the conflict markers and complete the cherry-pick conflict resolution, then re-run CI.

Remediation

• Resolve the cherry-pick conflict in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go by removing <<<<<<<, =======, and >>>>>>> markers and keeping the intended merged implementation.
• Re-run pre-commit run --all-files (and then /test on the PR) to confirm the hook passes.

Investigation details

Root Cause

The failing step is a pre-commit hook (check-merge-conflict) that detects unresolved conflict markers in source.

The failing file/path from logs:

• x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:169
• x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:174
• x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:185
• x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:373
• x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:374
• x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:429

Evidence

• Build: https://buildkite.com/elastic/beats/builds/45606
• Job/step: agentbeat: Run pre-commit (pre-commit run --all-files)
• Key log excerpt (/tmp/gh-aw/buildkite-logs/beats-xpack-agentbeat-agentbeat-run-pre-commit.txt):

check for merge conflicts................................................Failed
- hook id: check-merge-conflict
- exit code: 1
x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:169: Merge conflict string '<<<<<<<' found
x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:174: Merge conflict string '=======' found
x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:185: Merge conflict string '>>>>>>>' found
...

Related PR context also shows backport cherry-pick conflict for the same file in a prior PR comment.

Verification

• Not run locally in this workflow; diagnosis is based on deterministic pre-commit output and explicit conflict-marker detections in logs.

Follow-up

After conflict resolution, if any logic/test failures remain, run targeted tests for:
x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

TL;DR

golangci-lint failed in all three lint jobs because errcheck found unchecked errors in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go (conn.Unbind and another unchecked return). Add explicit error handling for those calls, then re-run CI.

Remediation

• Handle the conn.Unbind error at x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:229 (log/wrap/return according to existing function flow).
• Handle the unchecked error at x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:341 so errcheck no longer reports it.
• Re-run golangci-lint locally for the touched package (or trigger PR checks) to confirm all three lint jobs pass.

Investigation details

Root Cause

The workflow run failed due to deterministic errcheck violations in the PR changes, not due to runner/environment issues. The same two findings appear on Ubuntu and Windows jobs (and the macOS job also failed at the same golangci-lint step).

Evidence

• Workflow: https://github.com/elastic/beats/actions/runs/25521457608
• Job/step: lint (ubuntu-latest) → golangci-lint
• Key log excerpt:

##[error]x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:229:19: Error return value of `conn.Unbind` is not checked (errcheck)
##[error]x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:341:12: Error return value is not checked (errcheck)
##[error]issues found

• Matching excerpt from lint (windows-latest):

##[error]x-pack\filebeat\input\entityanalytics\provider\activedirectory\internal\activedirectory\activedirectory.go:229:19: Error return value of `conn.Unbind` is not checked (errcheck)
##[error]x-pack\filebeat\input\entityanalytics\provider\activedirectory\internal\activedirectory\activedirectory.go:341:12: Error return value is not checked (errcheck)
##[error]issues found

Validation

• Not run locally in this detective workflow; diagnosis is from failing Actions job logs.

Follow-up

• If handling Unbind in a deferred closure, preserve the original return error semantics (avoid swallowing the primary error with a deferred cleanup error unless that is already the package pattern).

---

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.