[9.3](backport #50472) x-pack/filebeat/input/entityanalytics/provider/activedirectory: fix device attribute field layout

[mergify]

Proposed commit message

x-pack/filebeat/input/entityanalytics/provider/activedirectory: fix device attribute field layout

The Active Directory provider emitted device (computer) attributes
under activedirectory.user.* instead of activedirectory.device.*,
because collate() hardcoded the "user" wrapping key for all entity
types. This caused the entityanalytics_ad device.yml ingest pipeline
to fail on the dot-expander step since the expected device fields
were absent.

Add a Device field to Entry and thread an entTyp parameter through
GetDetails and collate so that device results are wrapped under
"device" and populate Entry.Device. User results are unchanged.

Fixes #50471

Assisted-By: Cursor

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

• Closes x-pack/filebeat/input/entityanalytics: Active Directory provider emits device attributes under activedirectory.user instead of activedirectory.device #50471

Use cases

Screenshots

Logs

---

This is an automatic backport of pull request #50472 done by [Mergify](https://mergify.com).

[mergify]

Cherry-pick of 981bba9 has failed:

On branch mergify/bp/9.3/pr-50472
Your branch is up to date with 'origin/9.3'.

You are currently cherry-picking commit 981bba947.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   changelog/fragments/1777850001-fix-ad-device-field-layout.yaml
	modified:   x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
	modified:   x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory_test.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /test : Run the Buildkite pipeline.

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

TL;DR

Both failed Buildkite jobs are caused by unresolved Git conflict markers left in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go, which makes the file invalid Go and also triggers pre-commit’s merge-conflict check. Resolve that conflict file and re-run CI.

Remediation

• Resolve the cherry-pick conflict in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go by removing <<<<<<<, =======, >>>>>>> markers and keeping the intended merged logic.
• Re-run:
  • make -C x-pack/filebeat check update
  • pre-commit run --all-files

Investigation details

Root Cause

The backport PR includes unresolved conflict markers in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go (also reflected in the PR file patch), causing parser failures during goimports and causing pre-commit to fail.

Evidence

• Build: https://buildkite.com/elastic/beats/builds/45607
• Job/step: x-pack/filebeat: Run check/update
• Key log excerpt:
  • /tmp/gh-aw/buildkite-logs/beats-xpack-filebeat-x-packfilebeat-run-checkupdate.txt:115 → expected declaration, found '<<'
  • /tmp/gh-aw/buildkite-logs/beats-xpack-filebeat-x-packfilebeat-run-checkupdate.txt:117 → expected '}', found '=='
  • /tmp/gh-aw/buildkite-logs/beats-xpack-filebeat-x-packfilebeat-run-checkupdate.txt:119 → expected '}', found '>>'
  • /tmp/gh-aw/buildkite-logs/beats-xpack-filebeat-x-packfilebeat-run-checkupdate.txt:121 → illegal character U+0023 '#'
• Job/step: x-pack/filebeat: Run pre-commit
• Key log excerpt:
  • /tmp/gh-aw/buildkite-logs/beats-xpack-filebeat-x-packfilebeat-run-pre-commit.txt:133 → Merge conflict string '<<<<<<<' found
  • /tmp/gh-aw/buildkite-logs/beats-xpack-filebeat-x-packfilebeat-run-pre-commit.txt:137 → Merge conflict string '>>>>>>>' found

Verification

• Not run locally in this workflow; analysis is based on Buildkite logs and PR diff state.

Follow-up

After resolving the conflict file, CI should move past both current failures. If any subsequent failures appear, they can then be triaged independently.

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

TL;DR

golangci-lint failed in workflow run 25521405444 because errcheck found two unchecked results in x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go. Handle both explicitly, then re-run lint.

Remediation

• Replace defer conn.Unbind() with a deferred function that checks and handles the returned error (consistent with existing logging/error-collection patterns in this package).
• Replace attrs := u[entTyp].(map[string]any) with a checked type assertion (attrs, ok := ...) and handle the non-ok path explicitly (return/append an error), then run golangci-lint (or mage check in x-pack/filebeat) to confirm.

Investigation details

Root Cause

The failing step is golangci-lint in job lint (ubuntu-latest). The errcheck linter reports two issues in the Active Directory provider file: one ignored error from conn.Unbind, and one unchecked assertion path.

Evidence

• Workflow: https://github.com/elastic/beats/actions/runs/25521405444
• Job/step: lint (ubuntu-latest) → golangci-lint (https://github.com/elastic/beats/actions/runs/25521405444/job/74906096067)
• Key log excerpt:
  • x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:229:19: Error return value of \conn.Unbind` is not checked (errcheck)`
  • x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go:341:12: Error return value is not checked (errcheck)
  • ##[error]issues found

Validation

• Not run in this workflow; diagnosis is from GitHub Actions logs for run 25521405444.

Follow-up

• After fixing these two errcheck findings, re-run the PR checks to verify the matrix jobs proceed.

---

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.