diff --git a/packages/netskope/_dev/build/docs/README.md b/packages/netskope/_dev/build/docs/README.md
index 4ed054585fc..5b1b1e92d20 100644
--- a/packages/netskope/_dev/build/docs/README.md
+++ b/packages/netskope/_dev/build/docs/README.md
@@ -1,6 +1,7 @@
 # Netskope
 
-This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) on respective TCP ports.
+This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) and [Netskope Log Streaming](https://docs.netskope.com/en/log-streaming/). To receive log from Netskope Cloud Log Shipper use TCP input, and for Netskope Log Streaming use any of the Cloud based inputs (AWS, GCS, or Azure Blob Storage).
+
 
 The log message is expected to be in JSON format. The data is mapped to
 ECS fields where applicable and the remaining fields are written under
@@ -8,6 +9,7 @@ ECS fields where applicable and the remaining fields are written under
 
 ## Setup steps
 
+### For receiving log from Netskope Cloud Shipper
 1. Configure this integration with the TCP input in Kibana.
 2. For all Netskope Cloud Exchange configurations refer to the [Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785).
 3. In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant.
@@ -33,6 +35,121 @@ ECS fields where applicable and the remaining fields are written under
 > Note: For detailed steps refer to [Configure Log Shipper SIEM Mappings](https://docs.netskope.com/en/configure-log-shipper-siem-mappings.html).
 Please make sure to use the given response formats.
 
+### For receiving log from Netskope Log Streaming
+1. To configure Log streaming please refer to the [Log Streaming Configuration](https://docs.netskope.com/en/configuring-streams). While Configuring make sure compression is set to GZIP as other compression types are not supported.
+
+#### Collect data from an AWS S3 bucket
+
+Considering you already have an AWS S3 bucket setup, to configure it with Netskope, follow [these steps](https://docs.netskope.com/en/stream-logs-to-amazon-s3) to enable the log streaming.
+
+#### Collect data from Azure Blob Storage
+
+1. If you already have an Azure storage container setup, configure it with Netskope via log streaming.
+2. Enable the Netskope log streaming by following [these instructions](https://docs.netskope.com/en/stream-logs-to-azure-blob).
+3. Configure the integration using either Service Account Credentials or Microsoft Entra ID RBAC with OAuth2 options. For OAuth2 (Entra ID RBAC), you'll need the Client ID, Client Secret, and Tenant ID. For Service Account Credentials, you'll need either the Service Account Key or the URI to access the data.
+
+- How to setup the `auth.oauth2` credentials can be found in the Azure documentation [here]( https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+- For more details about the Azure Blob Storage input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html).
+
+Note:
+- The service principal must be granted the appropriate permissions to read blobs. Ensure that the necessary role assignments are in place for the service principal to access the storage resources. For more information, please refer to the [Azure Role-Based Access Control (RBAC) documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage).
+- We recommend assigning either the **Storage Blob Data Reader** or **Storage Blob Data Owner** role. The **Storage Blob Data Reader** role provides read-only access to blob data and is aligned with the principle of least privilege, making it suitable for most use cases. The **Storage Blob Data Owner** role grants full administrative access — including read, write, and delete permissions — and should be used only when such elevated access is explicitly required.
+
+#### Collect data from a GCS bucket
+
+1. If you already have a GCS bucket setup, configure it with Netskope via log streaming.
+2. Enable the Netskope log streaming by following [these instructions](https://docs.netskope.com/en/stream-logs-to-gcp-cloud-storage).
+3. Configure the integration with your GCS project ID, Bucket name and Service Account Key/Service Account Credentials File.
+
+For more details about the GCS input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-gcs.html).
+
+#### The GCS credentials key file:
+
+Once you have added a key to GCP service account, you will get a JSON key file that can only be downloaded once.
+If you're new to GCS bucket creation, follow these steps:
+
+1. Make sure you have a service account available, if not follow the steps below:
+   - Navigate to 'APIs & Services' > 'Credentials'
+   - Click on 'Create credentials' > 'Service account'
+2. Once the service account is created, you can navigate to the 'Keys' section and attach/generate your service account key.
+3. Make sure to download the JSON key file once prompted.
+4. Use this JSON key file either inline (JSON string object), or by specifying the path to the file on the host machine, where the agent is running.
+
+A sample JSON Credentials file looks as follows:
+```json
+{
+  "type": "dummy_service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy-private-key-id",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nDummyPrivateKey\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy-service-account@example.com",
+  "client_id": "12345678901234567890",
+  "auth_uri": "https://dummy-auth-uri.com",
+  "token_uri": "https://dummy-token-uri.com",
+  "auth_provider_x509_cert_url": "https://dummy-auth-provider-cert-url.com",
+  "client_x509_cert_url": "https://dummy-client-cert-url.com",
+  "universe_domain": "dummy-universe-domain.com"
+}
+```
+
+
+#### Collect data from AWS SQS
+
+1. If you've already set up a connection to push data into the AWS bucket; if not, refer to the section above.
+2. To set up an SQS queue, follow "Step 1: Create an Amazon SQS Queue" mentioned in the [link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html).
+   - While creating an access policy, use the bucket name configured to create a connection for AWS S3 in Netskope.
+3. Configure event notifications for an S3 bucket. Follow this [link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html).
+   - While creating `event notification` select the event type as s3:ObjectCreated:*, destination type SQS Queue, and select the queue name created in Step 2.
+
+For more details about the AWS-S3 input settings, check this [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html).
+
+### Enable the integration in Elastic
+
+1. In Kibana go to **Management** > **Integrations**.
+2. In "Search for integrations" top bar, search for `Netskope`.
+3. Select the **Netskope** integration from the search results.
+4. Select "Add Netskope" to add the integration.
+5. While adding the integration, there are different options to collect logs; 
+    
+    To collect logs via AWS S3 when adding the integration, you must provide the following details::
+    - Collect logs via S3 Bucket toggled on
+    - Access Key ID
+    - Secret Access Key
+    - Bucket ARN
+    - Session Token
+
+    To collect logs via AWS SQS when adding the integration, you must provide the following details:
+    - Collect logs via S3 Bucket toggled off
+    - Queue URL
+    - Secret Access Key
+    - Access Key ID
+
+    To collect logs via GCS when adding the integration, you must provide the following details:
+    - Project ID
+    - Buckets
+    - Service Account Key/Service Account Credentials File
+
+    To collect logs via Azure Blob Storage when adding the integration, you must provide the following details:
+
+    - For OAuth2 (Microsoft Entra ID RBAC):
+        - Toggle on **Collect logs using OAuth2 authentication**
+        - Account Name
+        - Client ID
+        - Client Secret
+        - Tenant ID
+        - Container Details.
+
+    - For Service Account Credentials:
+        - Service Account Key or the URI
+        - Account Name
+        - Container Details
+        
+
+    To collect logs via TCP when adding the integration, you must provide the following details:
+    - Listen Address
+    - Listen Port
+6. Save the integration.
+
 ## Compatibility
 
 This package has been tested against `Netskope version 95.1.0.645` and `Netskope Cloud Exchange version 3.4.0`.
@@ -55,6 +172,12 @@ Default port: _9021_
 
 {{event "alerts"}}
 
+### Alerts V2
+
+{{fields "alerts_v2"}}
+
+{{event "alerts_v2"}}
+
 ### Events
 
 {{fields "events"}}
diff --git a/packages/netskope/changelog.yml b/packages/netskope/changelog.yml
index d9ab4e38b05..2ffb32bfe20 100644
--- a/packages/netskope/changelog.yml
+++ b/packages/netskope/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.1.0"
+  changes:
+    - description: Add support for Alerts v2 data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14443
 - version: "2.0.0"
   changes:
     - description: Change mapping of field `netskope.alerts.breach.date` from `double` to `date`.
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/env.yml b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/env.yml
new file mode 100644
index 00000000000..aee5f1c5900
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/env.yml
@@ -0,0 +1,9 @@
+version: '2.3'
+services:
+  terraform:
+    environment:
+      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+      - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+      - AWS_DEFAULT_PROFILE=${AWS_DEFAULT_PROFILE}
+      - AWS_REGION=${AWS_REGION:-us-east-1}
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/files/test-alerts-v2.csv b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/files/test-alerts-v2.csv
new file mode 100644
index 00000000000..aea70c91701
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/files/test-alerts-v2.csv
@@ -0,0 +1,4 @@
+_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,severity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_action,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zipcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classification,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_incident_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dlp_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,encryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_file_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,file_type,email_from_user,from_user,app-gdpr-level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instance,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_sev,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,message_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_normalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_version,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pid,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,iaas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_unique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,smtp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,threat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confidence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_type,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,thr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
+2bebaadf4ac868577ea32140,Endpoint,-,false,-,block,File Share Access,-,yes,CDS TEST,-,-,Device,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,CDS TEST,block,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,Win11-50-1-105,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,test@gmail.com,-,-,-,-,-,-,-,Windows,Microsoft Windows 11 Pro 10.0.22621 64-bit,-,-,-,-,-,-,TEST,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1747209128,-,-,-,-,-,-,-,endpoint,\Device\Mup\;LanmanRedirector\,-,-,test@gmail.com,-,-,-,-,-,test@gmail.com,-,-,-,-,-,-,-,-,-,-,-,64907a4d-66d6-4a3b-8693-069b206a4479,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,alert
+772202b2ea0d6057f886f053,Endpoint,-,false,-,block,Insert,-,yes,BlockEndpoint,-,-,Device,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,BlockEndpoint,block,-,-,-,-,-,-,-,-,-,-,-,MacOs check,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,N49J4M9T3C,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,test@gmail.com,-,-,-,-,-,-,-,macOS,Mac OS X Sonoma 14.7.5 arm64,-,-,-,-,-,-,BlockEndpoint,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1747134127,-,-,-,-,-,-,-,endpoint,-,-,-,Test@gmail.com,-,-,-,-,-,Test@gmail.com,-,-,-,-,-,-,-,-,-,-,-,5a5574fd-0083-41c3-996a-81c67e6c45d6,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,alert
+eb8fc9903c2fbb6aa05537ff,Client,-,false,-,alert,Edit,-,yes,Web Access Allow,-,-,policy,IT Service/Application Management,Amazon,Amazon Systems Manager,2241753685910532990,-,-,Native,4940241048203471891,-,-,-,92,excellent,-,-,-,-,2631086121425559188,SE,-,-,-,-,SE,-,-,81.2.69.142,Stockholm,443,Stockholm County,Europe/Stockholm,100 04,-,Windows Device,unmanaged,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,ssm.eu-north-1.amazonaws.com,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,Test-IDMHT6TII,-,5254981775376249392,-,202533540828,-,-,-,-,18.0717|59.328699999999998,18.0717|59.328699999999998,-,-,-,-,-,Stockholm,18.0717|59.328699999999998,18.0717|59.328699999999998,-,-,-,-,-,-,no,-,-,-,-,-,-,-,-,-,-,test@gmail.com,-,-,-,-,-,-,-,Windows 11,-,Windows,-,Windows NT 11.0,ssm.eu-north-1.amazonaws.com,-,-,-,Web Access Allow,-,-,SE-STO1,443,-,-,-,-,-,-,-,-,-,-,-,Stockholm County,-,-,-,-,-,-,-,5254981775376249392,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,81.2.69.142,-,-,-,-,-,-,-,-,1747134122,Europe/Stockholm,-,-,CloudApp,5254981775376249392,-,-,nspolicy,-,-,ssm.eu-north-1.amazonaws.com/,test@gmail.com,aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0,-,-,-,81.2.69.142,test@gmail.com,-,Amazon Systems Manager,100 04,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,alert
\ No newline at end of file
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf
new file mode 100644
index 00000000000..973c81fbcff
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf
@@ -0,0 +1,59 @@
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      environment  = var.ENVIRONMENT
+      repo         = var.REPO
+      branch       = var.BRANCH
+      build        = var.BUILD_ID
+      created_date = var.CREATED_DATE
+    }
+  }
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = "elastic-package-netskope-alert-v2-bucket-${var.TEST_RUN_ID}"
+}
+
+resource "aws_sqs_queue" "queue" {
+  name       = "elastic-package-netskope-alert-v2-queue-${var.TEST_RUN_ID}"
+  policy     = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:*:elastic-package-netskope-alert-v2-queue-${var.TEST_RUN_ID}",
+      "Condition": {
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.bucket.arn}" }
+      }
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_notification" "bucket_notification" {
+  bucket = aws_s3_bucket.bucket.id
+
+  queue {
+    queue_arn = aws_sqs_queue.queue.arn
+    events    = ["s3:ObjectCreated:*"]
+  }
+}
+
+resource "aws_s3_object" "object" {
+  bucket = aws_s3_bucket.bucket.id
+  key    = "test-alerts-v2.csv.gz"
+  content_base64   = base64gzip(file("./files/test-alerts-v2.csv"))
+  content_encoding = "gzip"
+  content_type     = "text/csv"
+
+  depends_on = [aws_sqs_queue.queue]
+}
+
+output "queue_url" {
+  value = aws_sqs_queue.queue.url
+}
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf
new file mode 100644
index 00000000000..32d90dee649
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf
@@ -0,0 +1,26 @@
+variable "BRANCH" {
+  description = "Branch name or pull request for tagging purposes"
+  default     = "unknown-branch"
+}
+
+variable "BUILD_ID" {
+  description = "Build ID in the CI for tagging purposes"
+  default     = "unknown-build"
+}
+
+variable "CREATED_DATE" {
+  description = "Creation date in epoch time for tagging purposes"
+  default     = "unknown-date"
+}
+
+variable "ENVIRONMENT" {
+  default = "unknown-environment"
+}
+
+variable "REPO" {
+  default = "unknown-repo-name"
+}
+
+variable "TEST_RUN_ID" {
+  default = "detached"
+}
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-alert-v2.log b/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-alert-v2.log
new file mode 100644
index 00000000000..56ab3103f6f
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-alert-v2.log
@@ -0,0 +1,3 @@
+{ "_id": "5182808a2a99fc688d4a8057", "access_method": "API Connector", "account_id": "0u3700o60054", "account_name": "testing-iaas-policies", "acked": "true", "action": "block", "activity": "Delete", "alert": "yes", "alert_id": "9b302da498a1ed703495f527c1574b76", "alert_name": "[Web] Block Countries Managed", "alert_source": "DLP", "alert_type": "policy", "app": "Dropbox", "app_session_id": 130464223392976, "appcategory": "Technology", "appsuite": "Microsoft Live", "breach_date": 1700352376, "breach_id": "e8bcc837615516de9d338403caa57ac9", "breach_score": "70", "browser": "Chrome", "browser_session_id": 6013040120128863783, "cci": 31, "ccl": "excellent", "client_bytes": 3613916, "conn_duration": 47, "conn_endtime": 1700352376, "conn_starttime": 1700352376, "connection_id": 5047636402716175950, "custom_attr": { "usr_udf_employeeid": "A095301", "usr_display_name": "McKillip, William (A095301)", "usr_title": "Analyst - Business Solutions Analyst" }, "device": "Windows Device", "device_classification": "unknown", "dlp_file": "r5kessan.data", "dlp_incident_id": 5593408369243076225, "dlp_is_unique_count": "true", "dlp_parent_id": 6398957211952493728, "dlp_profile": "NSSF_Customer_Confidential_Keywords", "dlp_rule": "TennCare Member ID and Medical Lab Test", "dlp_rule_count": 1267, "dlp_rule_severity": "Critical", "dlp_unique_count": 386, "dns_profile": "dns profile for test_dns_profiles.json", "domain": "au-sonpo.my.test.com", "domain_ip": "81.2.69.192", "dst_country": "AU", "dst_geoip_src": 0, "dst_latitude": 37.7749, "dst_location": "Ikebukuro", "dst_longitude": 151.2093, "dst_region": "Western Australia", "dst_timezone": "America/Los_Angeles", "dst_zipcode": "2099", "dsthost": "ftp.abcd.com", "dstip": "81.2.69.192", "dstport": 1143, "email_title": "TESTING MALWARE", "event_uuid": "b9874d0e-c68a-4917-90aa-4c3c2ed3d2de", "file_cls_encrypted": true, "file_exposure": "Private", "file_path": "/home/username/Documents/file.txt", "file_size": 0, "file_type": "JSON document", "from_user": "shannjain@autotest99.com", "hostname": "C02GH1DMMD6N", "iaas_remediated": "true", "iaas_remediated_by": "meghana@democompany.com", "iaas_remediated_on": 1565244616, "iaas_remediation_action": "Revoke security group ingress port 22", "instance": "Chrome-River", "instance_id": "trical forage", "instance_name": "test", "loc": "US", "local_sha1": "835b7286727edfbc20eae7e81405fe0a8c4bd302", "mal_id": "30520723a5b106e6d0aea46a87a35a5f", "mal_type": "PUA", "managed_app": "yes", "managementID": "5E2156872C1791458F39A3B0AC3303E5", "md5": "5a00bef704579c065e188ce8a11b7d53", "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "netskope_pop": "IN-DEL2", "nsdeviceuid": "BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9E", "numbytes": 10621990, "object": "EYR Corporate Calibration 2023 with Bottom 10 (exclude HR) - 20 Feb 2024.xlsx", "object_id": "e2771328-dcfe-4dd9-bd0d-7947f247057a", "object_type": "People & Blogs", "org": "testlogistics.com", "organization_unit": "netskope.local/Netskope/Active Users/US & International/Full Time", "os": "Mac OS X 14.3.1", "os_family": "Windows", "os_version": "iOS 17.2.1", "owner": "sogonzalezro@dummycompnay.com.mx", "page": "www.youtube.com", "parent_id": "/personal/bnelson_hudsoninsgroup_com/Documents/Desktop", "policy": "SSL-Do-Not-Decrypt-General", "pop_id": "0X0008", "record_type": "page", "referer": "https://www.mmafighting.com/", "region_id": "us-east-2", "region_name": "US East(Ohio)", "req_cnt": 2000, "request_id": 2780503013482479616, "resource_category": "Database", "resource_group": "Automation-021589709060", "resp_cnt": 2057, "sa_profile_name": "Infosec Profile", "sa_rule_name": "Google Workspace 3rd-party apps should have lower risk score than 'High'", "sa_rule_severity": "High", "sanctioned_instance": "Yes", "server_bytes": 1920409, "severity": "informational", "severity_level": "med", "sha256": "a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5793", "shared_domains": "next15.com", "shared_with": "shannjain@autotest99.com", "sharedType": "public", "site": "movistar", "src_country": "RU", "src_geoip_src": 0, "src_latitude": 48.8566, "src_location": "Villagran", "src_longitude": -122.4194, "src_region": "Provincia de La Vega", "src_timezone": "America/Lima", "src_zipcode": "2099", "srcip": "81.2.69.192", "subject": "2025 SF Materials - Molina AZ DSNP", "suppression_count": "234", "telemetry_app": "pndsn", "threat_type": "domain_category", "timestamp": 1708989085, "traffic_type": "CloudApp", "transaction_id": 7147084621365701239, "tss_mode": "inline", "two_factor_auth": "yes", "type": "anomaly", "ur_normalized": "shannjain@autotest99.com", "url": "ipcow.com/", "user": "shannjain@autotest99.com", "user_confidence_index": 100, "user_confidence_level": "high", "user_id": "shannjain@autotest99.com", "useragent": "Mozilla/5.0 (ZOOM.Mac 13.6 x86)", "usergroup": "//DynamicGroup//s_vish", "userip": "192.168.1.2", "userkey": "shannjain@autotest99.com", "watchlist_name": "C Suite3", "web_url": "https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/shubhushduasjdsa.txt" }
+{ "_id": "5182808a2a99fc688d4a8157", "access_method": "Client", "account_id": "533708960054", "account_name": "csa-rules-setup", "acked": "false", "action": "bypass", "activity": "Login Failed", "alert": "yes", "alert_id": "314eba43aa95c8ea4f7416732e2c1921", "alert_name": "[CASB] Alert on Upload and Download for Sensitive Keywords in Cloud Storage", "alert_source": "Malware", "alert_type": "anomaly", "app": "Google Drive", "app_session_id": 130464223392977, "appcategory": "Productivity", "appsuite": "Google Workspace", "breach_date": 1700352377, "breach_id": "e8bcc837615516de9d338403caa57ad0", "breach_score": "80", "browser": "Firefox", "browser_session_id": 6013040120128863784, "cci": 32, "ccl": "good", "client_bytes": 3613917, "conn_duration": 48, "conn_endtime": 1700352377, "conn_starttime": 1700352377, "connection_id": 5047636402716175951, "custom_attr": { "usr_udf_primarydomain": "MWI.INTERNAL", "usr_status": "Active", "usr_udf_businesssegmentlevel3": "Animal Health", "usr_udf_companyname": "MWI Veterinary Supply Company" }, "device": "Mac Device", "device_classification": "managed", "dlp_file": "file2.data", "dlp_incident_id": 5593408369243076226, "dlp_is_unique_count": "false", "dlp_parent_id": 6398957211952493729, "dlp_profile": "PII_Profile", "dlp_rule": "PCI Data", "dlp_rule_count": 1268, "dlp_rule_severity": "High", "dlp_unique_count": 387, "dns_profile": "dns profile 2", "domain": "us-sonpo.my.test.com", "domain_ip": "81.2.69.193", "dst_country": "US", "dst_geoip_src": 1, "dst_latitude": -33.8688, "dst_location": "Nishikata", "dst_longitude": 151.2093, "dst_region": "New South Wales", "dst_timezone": "America/New_York", "dst_zipcode": "2100", "dsthost": "ftp.efgh.com", "dstip": "81.2.69.193", "dstport": 1144, "email_title": "ALERT: Suspicious Activity", "event_uuid": "b9874d0e-c68a-4917-90aa-4c3c2ed3d2df", "file_cls_encrypted": false, "file_exposure": "Public", "file_path": "/home/username/Documents/file2.txt", "file_size": 1, "file_type": "PDF document", "from_user": "user2@autotest99.com", "hostname": "C02GH1DMMD6O", "iaas_remediated": "false", "iaas_remediated_by": "admin@democompany.com", "iaas_remediated_on": 1565244617, "iaas_remediation_action": "Remove user access", "instance": "Salesforce", "instance_id": "clearview farm", "instance_name": "adminscope", "loc": "IN", "local_sha1": "835b7286727edfbc20eae7e81405fe0a8c4bd303", "mal_id": "30520723a5b106e6d0aea46a87a35a5g", "mal_type": "Malware", "managed_app": "no", "managementID": "5E2156872C1791458F39A3B0AC3303E6", "md5": "5a00bef704579c065e188ce8a11b7d54", "mime_type": "application/pdf", "netskope_pop": "US-NYC1", "nsdeviceuid": "BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9F", "numbytes": 10621991, "object": "Document2.pdf", "object_id": "e2771328-dcfe-4dd9-bd0d-7947f247057b", "object_type": "Document", "org": "example.com", "organization_unit": "netskope.local/Netskope/Active Users/EMEA/Full Time", "os": "Windows 10", "os_family": "Windows Server", "os_version": "iOS 16.5", "owner": "owner2@dummycompnay.com.mx", "page": "www.google.com", "parent_id": "/personal/ukrishnan_hudsoninsgroup_com/Documents/Surety%20Data%20Recon", "policy": "Block Social Media", "pop_id": "0X0009", "record_type": "alert", "referer": "https://www.example.com/", "region_id": "us-west-1", "region_name": "US West(California)", "req_cnt": 1478, "request_id": 2780503102603051008, "resource_category": "Storage", "resource_group": "ResourceGroup2", "resp_cnt": 2058, "sa_profile_name": "Compliance Profile", "sa_rule_name": "Block All External Sharing", "sa_rule_severity": "Medium", "sanctioned_instance": "No", "server_bytes": 1920410, "severity": "High", "severity_level": "high", "sha256": "a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5794", "shared_domains": "example.com", "shared_with": "user2@autotest99.com", "sharedType": "private", "site": "site2", "src_country": "GE", "src_geoip_src": 1, "src_latitude": -33.8688, "src_location": "Jose Maria Morelos", "src_longitude": 2.3522, "src_region": "National Capital District (Port Moresby)", "src_timezone": "America/New_York", "src_zipcode": "2100", "srcip": "81.2.69.193", "subject": "2024 SF Materials - Molina CA DSNP", "suppression_count": "235", "telemetry_app": "app2", "threat_type": "malware", "timestamp": 1708989086, "traffic_type": "WebApp", "transaction_id": 7147084621365701240, "tss_mode": "offline", "two_factor_auth": "no", "type": "policy", "ur_normalized": "user2@autotest99.com", "url": "example.com/", "user": "user2@autotest99.com", "user_confidence_index": 99, "user_confidence_level": "medium", "user_id": "user2@autotest99.com", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", "usergroup": "//DynamicGroup//s_john", "userip": "192.168.1.3", "userkey": "user2@autotest99.com", "watchlist_name": "C Suite2", "web_url": "https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/file2.txt" }
+{ "_id": "5182808a2a99fc688d4a8457", "access_method": "Reverse Proxy", "account_id": "933700o60054", "account_name": "temp-account-for-validation", "action": "anomaly_detection", "activity": "Login Attempt", "alert": "yes", "alert_id": "43525800130c88d901885c2de6e7927d", "alert_name": "Block All", "alert_source": "Policy", "alert_type": "malware", "app": "Box", "app_session_id": 130464223392978, "appcategory": "Social Networking", "appsuite": "Zoho", "breach_date": 1700352378, "breach_id": "e8bcc837615516de9d338403caa57ad1", "breach_score": "90", "browser": "Safari", "browser_session_id": 6013040120128863785, "cci": 33, "ccl": "fair", "client_bytes": 3613918, "conn_duration": 49, "conn_endtime": 1700352378, "conn_starttime": 1700352378, "connection_id": 5047636402716175952, "custom_attr": { "usr_udf_supervisorname": "Wade Johnson", "usr_udf_businesssegmentlevel2": "Global Commercialization Service &amp; Animal Health (C&amp;A)", "usr_udf_businesssegmentlevel3": "Animal Health" }, "device": "Linux Device", "device_classification": "unmanaged", "dlp_file": "file3.data", "dlp_incident_id": 5593408369243076227, "dlp_parent_id": 6398957211952493730, "dlp_profile": "HIPAA_Profile", "dlp_rule": "SSN", "dlp_rule_count": 1269, "dlp_rule_severity": "Medium", "dlp_unique_count": 388, "dns_profile": "dns profile 3", "domain": "eu-sonpo.my.test.com", "domain_ip": "81.2.69.194", "dst_country": "GB", "dst_geoip_src": 2, "dst_latitude": 51.5074, "dst_location": "Otemachi", "dst_longitude": 2.3522, "dst_region": "Queensland", "dst_timezone": "Europe/London", "dst_zipcode": "2101", "dsthost": "ftp.ijkl.com", "dstip": "81.2.69.194", "dstport": 1145, "email_title": "INFO: Policy Update", "event_uuid": "b9874d0e-c68a-4917-90aa-4c3c2ed3d2dg", "file_cls_encrypted": false, "file_exposure": "Internal", "file_path": "/home/username/Documents/file3.txt", "file_size": 2, "file_type": "Word document", "from_user": "user3@autotest99.com", "hostname": "C02GH1DMMD6P", "iaas_remediated_by": "user@democompany.com", "iaas_remediated_on": 1565244618, "iaas_remediation_action": "Update firewall rule", "instance": "Workday", "instance_id": "Кириченко Виктор", "instance_name": "testing-microsoft-account", "loc": "GB", "local_sha1": "835b7286727edfbc20eae7e81405fe0a8c4bd304", "mal_id": "30520723a5b106e6d0aea46a87a35a5h", "mal_type": "Adware", "managementID": "5E2156872C1791458F39A3B0AC3303E7", "md5": "5a00bef704579c065e188ce8a11b7d55", "mime_type": "application/msword", "netskope_pop": "EU-FRA1", "nsdeviceuid": "BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9G", "numbytes": 10621992, "object": "Presentation3.pptx", "object_id": "e2771328-dcfe-4dd9-bd0d-7947f247057c", "object_type": "Spreadsheet", "org": "sample.org", "organization_unit": "netskope.local/Netskope/Active Users/APAC/Full Time", "os": "Linux Ubuntu 20.04", "os_family": "MacOS", "os_version": "iOS 15.4.1", "owner": "owner3@dummycompnay.com.mx", "page": "www.facebook.com", "parent_id": "/sites/HudsonHeraclesTeam/Shared%20Documents/General/02%20-%20Inception/Inception/Deliverables/Backlog", "policy": "Allow All", "pop_id": "0X0010", "record_type": "incident", "referer": "https://www.sample.com/", "region_id": "eu-central-1", "region_name": "EU Central(Frankfurt)", "req_cnt": 1438, "request_id": 2780503109422989312, "resource_category": "Compute", "resource_group": "ResourceGroup3", "resp_cnt": 2059, "sa_profile_name": "Risk Profile", "sa_rule_name": "Allow Only Internal Access", "sa_rule_severity": "Low", "sanctioned_instance": "No", "server_bytes": 1920411, "severity": "critical", "severity_level": "low", "sha256": "a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5795", "shared_domains": "sample.com", "shared_with": "user3@autotest99.com", "sharedType": "internal", "site": "site3", "src_country": "FI", "src_geoip_src": 2, "src_latitude": 51.5074, "src_location": "Buenavista", "src_longitude": 2.3522, "src_region": "Astana", "src_timezone": "Europe/London", "src_zipcode": "2101", "srcip": "81.2.69.194", "subject": "2023 SF Materials - Molina TX DSNP", "suppression_count": "236", "telemetry_app": "app3", "threat_type": "phishing", "timestamp": 1708989087, "traffic_type": "Network", "transaction_id": 7147084621365701241, "tss_mode": "hybrid", "type": "malware", "ur_normalized": "user3@autotest99.com", "url": "sample.com/", "user": "user3@autotest99.com", "user_confidence_index": 98, "user_confidence_level": "low", "user_id": "user3@autotest99.com", "useragent": "Microsoft Office OneNote/16.62.611.0 (Mac OS/13.6; Desktop; en-GB; AppStore; Apple/MacBookPro16,1)", "usergroup": "//DynamicGroup//s_jane", "userip": "192.168.1.4", "userkey": "user3@autotest99.com", "watchlist_name": "C Suite1", "web_url": "https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/file3.txt" }
\ No newline at end of file
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-alert-v2.log-expected.json b/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-alert-v2.log-expected.json
new file mode 100644
index 00000000000..8b6a1a4a44f
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-alert-v2.log-expected.json
@@ -0,0 +1,726 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-02-26T23:11:25.000Z",
+            "client": {
+                "bytes": 3613916
+            },
+            "destination": {
+                "bytes": 1920409,
+                "domain": "ftp.abcd.com",
+                "geo": {
+                    "city_name": "Ikebukuro",
+                    "country_iso_code": "AU",
+                    "location": {
+                        "lat": 37.7749,
+                        "lon": 151.2093
+                    },
+                    "postal_code": "2099",
+                    "region_name": "Western Australia",
+                    "timezone": "America/Los_Angeles"
+                },
+                "ip": "81.2.69.192",
+                "port": 1143
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "subject": "TESTING MALWARE"
+            },
+            "event": {
+                "action": "block",
+                "id": "5182808a2a99fc688d4a8057",
+                "kind": "alert",
+                "original": "{ \"_id\": \"5182808a2a99fc688d4a8057\", \"access_method\": \"API Connector\", \"account_id\": \"0u3700o60054\", \"account_name\": \"testing-iaas-policies\", \"acked\": \"true\", \"action\": \"block\", \"activity\": \"Delete\", \"alert\": \"yes\", \"alert_id\": \"9b302da498a1ed703495f527c1574b76\", \"alert_name\": \"[Web] Block Countries Managed\", \"alert_source\": \"DLP\", \"alert_type\": \"policy\", \"app\": \"Dropbox\", \"app_session_id\": 130464223392976, \"appcategory\": \"Technology\", \"appsuite\": \"Microsoft Live\", \"breach_date\": 1700352376, \"breach_id\": \"e8bcc837615516de9d338403caa57ac9\", \"breach_score\": \"70\", \"browser\": \"Chrome\", \"browser_session_id\": 6013040120128863783, \"cci\": 31, \"ccl\": \"excellent\", \"client_bytes\": 3613916, \"conn_duration\": 47, \"conn_endtime\": 1700352376, \"conn_starttime\": 1700352376, \"connection_id\": 5047636402716175950, \"custom_attr\": { \"usr_udf_employeeid\": \"A095301\", \"usr_display_name\": \"McKillip, William (A095301)\", \"usr_title\": \"Analyst - Business Solutions Analyst\" }, \"device\": \"Windows Device\", \"device_classification\": \"unknown\", \"dlp_file\": \"r5kessan.data\", \"dlp_incident_id\": 5593408369243076225, \"dlp_is_unique_count\": \"true\", \"dlp_parent_id\": 6398957211952493728, \"dlp_profile\": \"NSSF_Customer_Confidential_Keywords\", \"dlp_rule\": \"TennCare Member ID and Medical Lab Test\", \"dlp_rule_count\": 1267, \"dlp_rule_severity\": \"Critical\", \"dlp_unique_count\": 386, \"dns_profile\": \"dns profile for test_dns_profiles.json\", \"domain\": \"au-sonpo.my.test.com\", \"domain_ip\": \"81.2.69.192\", \"dst_country\": \"AU\", \"dst_geoip_src\": 0, \"dst_latitude\": 37.7749, \"dst_location\": \"Ikebukuro\", \"dst_longitude\": 151.2093, \"dst_region\": \"Western Australia\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"2099\", \"dsthost\": \"ftp.abcd.com\", \"dstip\": \"81.2.69.192\", \"dstport\": 1143, \"email_title\": \"TESTING MALWARE\", \"event_uuid\": \"b9874d0e-c68a-4917-90aa-4c3c2ed3d2de\", \"file_cls_encrypted\": true, \"file_exposure\": \"Private\", \"file_path\": \"/home/username/Documents/file.txt\", \"file_size\": 0, \"file_type\": \"JSON document\", \"from_user\": \"shannjain@autotest99.com\", \"hostname\": \"C02GH1DMMD6N\", \"iaas_remediated\": \"true\", \"iaas_remediated_by\": \"meghana@democompany.com\", \"iaas_remediated_on\": 1565244616, \"iaas_remediation_action\": \"Revoke security group ingress port 22\", \"instance\": \"Chrome-River\", \"instance_id\": \"trical forage\", \"instance_name\": \"test\", \"loc\": \"US\", \"local_sha1\": \"835b7286727edfbc20eae7e81405fe0a8c4bd302\", \"mal_id\": \"30520723a5b106e6d0aea46a87a35a5f\", \"mal_type\": \"PUA\", \"managed_app\": \"yes\", \"managementID\": \"5E2156872C1791458F39A3B0AC3303E5\", \"md5\": \"5a00bef704579c065e188ce8a11b7d53\", \"mime_type\": \"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\", \"netskope_pop\": \"IN-DEL2\", \"nsdeviceuid\": \"BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9E\", \"numbytes\": 10621990, \"object\": \"EYR Corporate Calibration 2023 with Bottom 10 (exclude HR) - 20 Feb 2024.xlsx\", \"object_id\": \"e2771328-dcfe-4dd9-bd0d-7947f247057a\", \"object_type\": \"People & Blogs\", \"org\": \"testlogistics.com\", \"organization_unit\": \"netskope.local/Netskope/Active Users/US & International/Full Time\", \"os\": \"Mac OS X 14.3.1\", \"os_family\": \"Windows\", \"os_version\": \"iOS 17.2.1\", \"owner\": \"sogonzalezro@dummycompnay.com.mx\", \"page\": \"www.youtube.com\", \"parent_id\": \"/personal/bnelson_hudsoninsgroup_com/Documents/Desktop\", \"policy\": \"SSL-Do-Not-Decrypt-General\", \"pop_id\": \"0X0008\", \"record_type\": \"page\", \"referer\": \"https://www.mmafighting.com/\", \"region_id\": \"us-east-2\", \"region_name\": \"US East(Ohio)\", \"req_cnt\": 2000, \"request_id\": 2780503013482479616, \"resource_category\": \"Database\", \"resource_group\": \"Automation-021589709060\", \"resp_cnt\": 2057, \"sa_profile_name\": \"Infosec Profile\", \"sa_rule_name\": \"Google Workspace 3rd-party apps should have lower risk score than 'High'\", \"sa_rule_severity\": \"High\", \"sanctioned_instance\": \"Yes\", \"server_bytes\": 1920409, \"severity\": \"informational\", \"severity_level\": \"med\", \"sha256\": \"a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5793\", \"shared_domains\": \"next15.com\", \"shared_with\": \"shannjain@autotest99.com\", \"sharedType\": \"public\", \"site\": \"movistar\", \"src_country\": \"RU\", \"src_geoip_src\": 0, \"src_latitude\": 48.8566, \"src_location\": \"Villagran\", \"src_longitude\": -122.4194, \"src_region\": \"Provincia de La Vega\", \"src_timezone\": \"America/Lima\", \"src_zipcode\": \"2099\", \"srcip\": \"81.2.69.192\", \"subject\": \"2025 SF Materials - Molina AZ DSNP\", \"suppression_count\": \"234\", \"telemetry_app\": \"pndsn\", \"threat_type\": \"domain_category\", \"timestamp\": 1708989085, \"traffic_type\": \"CloudApp\", \"transaction_id\": 7147084621365701239, \"tss_mode\": \"inline\", \"two_factor_auth\": \"yes\", \"type\": \"anomaly\", \"ur_normalized\": \"shannjain@autotest99.com\", \"url\": \"ipcow.com/\", \"user\": \"shannjain@autotest99.com\", \"user_confidence_index\": 100, \"user_confidence_level\": \"high\", \"user_id\": \"shannjain@autotest99.com\", \"useragent\": \"Mozilla/5.0 (ZOOM.Mac 13.6 x86)\", \"usergroup\": \"//DynamicGroup//s_vish\", \"userip\": \"192.168.1.2\", \"userkey\": \"shannjain@autotest99.com\", \"watchlist_name\": \"C Suite3\", \"web_url\": \"https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/shubhushduasjdsa.txt\" }",
+                "severity": 21,
+                "url": "https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/shubhushduasjdsa.txt"
+            },
+            "file": {
+                "hash": {
+                    "md5": "5a00bef704579c065e188ce8a11b7d53"
+                },
+                "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+                "path": "/home/username/Documents/file.txt",
+                "size": 0,
+                "type": "JSON document"
+            },
+            "host": {
+                "domain": "au-sonpo.my.test.com",
+                "name": "C02GH1DMMD6N",
+                "os": {
+                    "family": "Windows",
+                    "full": "Mac OS X 14.3.1",
+                    "version": "iOS 17.2.1"
+                }
+            },
+            "http": {
+                "request": {
+                    "referrer": "https://www.mmafighting.com/"
+                }
+            },
+            "netskope": {
+                "alert_v2": {
+                    "access_method": "API Connector",
+                    "account_id": "0u3700o60054",
+                    "account_name": "testing-iaas-policies",
+                    "acked": true,
+                    "activity": "Delete",
+                    "alert": "yes",
+                    "alert_id": "9b302da498a1ed703495f527c1574b76",
+                    "alert_source": "DLP",
+                    "alert_type": "policy",
+                    "app_session_id": "130464223392976",
+                    "appcategory": "Technology",
+                    "appsuite": "Microsoft Live",
+                    "breach_date": "2023-11-19T00:06:16.000Z",
+                    "breach_id": "e8bcc837615516de9d338403caa57ac9",
+                    "breach_score": 70,
+                    "browser": "Chrome",
+                    "browser_session_id": "6013040120128863783",
+                    "cci": 31,
+                    "ccl": "excellent",
+                    "conn_duration": 47,
+                    "conn_endtime": "2023-11-19T00:06:16.000Z",
+                    "conn_starttime": "2023-11-19T00:06:16.000Z",
+                    "connection_id": "5047636402716175950",
+                    "custom_attr": {
+                        "usr_display_name": "McKillip, William (A095301)",
+                        "usr_title": "Analyst - Business Solutions Analyst",
+                        "usr_udf_employeeid": "A095301"
+                    },
+                    "device": "Windows Device",
+                    "device_classification": "unknown",
+                    "dlp_file": "r5kessan.data",
+                    "dlp_incident_id": "5593408369243076225",
+                    "dlp_is_unique_count": true,
+                    "dlp_parent_id": "6398957211952493728",
+                    "dlp_profile": "NSSF_Customer_Confidential_Keywords",
+                    "dlp_rule": "TennCare Member ID and Medical Lab Test",
+                    "dlp_rule_count": 1267,
+                    "dlp_rule_severity": "Critical",
+                    "dlp_unique_count": 386,
+                    "dns_profile": "dns profile for test_dns_profiles.json",
+                    "domain_ip": "81.2.69.192",
+                    "dst_geoip_src": 0,
+                    "dst_latitude": 37.7749,
+                    "dst_longitude": 151.2093,
+                    "event_uuid": "b9874d0e-c68a-4917-90aa-4c3c2ed3d2de",
+                    "file_cls_encrypted": true,
+                    "file_exposure": "Private",
+                    "from_user": "shannjain@autotest99.com",
+                    "iaas_remediated": true,
+                    "iaas_remediated_by": "meghana@democompany.com",
+                    "iaas_remediated_on": 1565244616,
+                    "iaas_remediation_action": "Revoke security group ingress port 22",
+                    "instance": "Chrome-River",
+                    "instance_id": "trical forage",
+                    "instance_name": "test",
+                    "loc": "US",
+                    "mal_id": "30520723a5b106e6d0aea46a87a35a5f",
+                    "mal_type": "PUA",
+                    "managed_app": "yes",
+                    "managementID": "5E2156872C1791458F39A3B0AC3303E5",
+                    "netskope_pop": "IN-DEL2",
+                    "nsdeviceuid": "BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9E",
+                    "numbytes": 10621990,
+                    "object": "EYR Corporate Calibration 2023 with Bottom 10 (exclude HR) - 20 Feb 2024.xlsx",
+                    "object_id": "e2771328-dcfe-4dd9-bd0d-7947f247057a",
+                    "object_type": "People & Blogs",
+                    "organization_unit": "netskope.local/Netskope/Active Users/US & International/Full Time",
+                    "owner": "sogonzalezro@dummycompnay.com.mx",
+                    "page": "www.youtube.com",
+                    "parent_id": "/personal/bnelson_hudsoninsgroup_com/Documents/Desktop",
+                    "policy": "SSL-Do-Not-Decrypt-General",
+                    "pop_id": "0X0008",
+                    "record_type": "page",
+                    "region_id": "us-east-2",
+                    "region_name": "US East(Ohio)",
+                    "req_cnt": 2000,
+                    "request_id": "2780503013482479616",
+                    "resource_category": "Database",
+                    "resource_group": "Automation-021589709060",
+                    "resp_cnt": 2057,
+                    "sa_profile_name": "Infosec Profile",
+                    "sa_rule_name": "Google Workspace 3rd-party apps should have lower risk score than 'High'",
+                    "sa_rule_severity": "High",
+                    "sanctioned_instance": "Yes",
+                    "severity_level": "med",
+                    "sha256": "a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5793",
+                    "sharedType": "public",
+                    "shared_domains": "next15.com",
+                    "shared_with": "shannjain@autotest99.com",
+                    "site": "movistar",
+                    "src_geoip_src": 0,
+                    "src_latitude": 48.8566,
+                    "src_longitude": -122.4194,
+                    "subject": "2025 SF Materials - Molina AZ DSNP",
+                    "suppression_count": "234",
+                    "telemetry_app": "pndsn",
+                    "threat_type": "domain_category",
+                    "traffic_type": "CloudApp",
+                    "transaction_id": "7147084621365701239",
+                    "tss_mode": "inline",
+                    "two_factor_auth": "yes",
+                    "type": "anomaly",
+                    "ur_normalized": "shannjain@autotest99.com",
+                    "user_confidence_index": 100,
+                    "user_confidence_level": "high",
+                    "userip": "192.168.1.2",
+                    "userkey": "shannjain@autotest99.com",
+                    "watchlist_name": "C Suite3"
+                }
+            },
+            "network": {
+                "application": "dropbox"
+            },
+            "organization": {
+                "name": "testlogistics.com"
+            },
+            "process": {
+                "hash": {
+                    "sha1": "835b7286727edfbc20eae7e81405fe0a8c4bd302"
+                }
+            },
+            "related": {
+                "hash": [
+                    "835b7286727edfbc20eae7e81405fe0a8c4bd302",
+                    "5a00bef704579c065e188ce8a11b7d53"
+                ],
+                "hosts": [
+                    "au-sonpo.my.test.com",
+                    "ftp.abcd.com",
+                    "Private",
+                    "C02GH1DMMD6N"
+                ],
+                "ip": [
+                    "81.2.69.192",
+                    "192.168.1.2"
+                ],
+                "user": [
+                    "shannjain@autotest99.com",
+                    "//DynamicGroup//s_vish"
+                ]
+            },
+            "rule": {
+                "name": "[Web] Block Countries Managed"
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Villagran",
+                    "country_iso_code": "RU",
+                    "location": {
+                        "lat": 48.8566,
+                        "lon": -122.4194
+                    },
+                    "postal_code": "2099",
+                    "region_name": "Provincia de La Vega",
+                    "timezone": "America/Lima"
+                },
+                "ip": "81.2.69.192"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "original": "ipcow.com/"
+            },
+            "user": {
+                "email": "shannjain@autotest99.com",
+                "group": {
+                    "name": "//DynamicGroup//s_vish"
+                },
+                "id": "shannjain@autotest99.com"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Other",
+                "original": "Mozilla/5.0 (ZOOM.Mac 13.6 x86)"
+            }
+        },
+        {
+            "@timestamp": "2024-02-26T23:11:26.000Z",
+            "client": {
+                "bytes": 3613917
+            },
+            "destination": {
+                "bytes": 1920410,
+                "domain": "ftp.efgh.com",
+                "geo": {
+                    "city_name": "Nishikata",
+                    "country_iso_code": "US",
+                    "location": {
+                        "lat": -33.8688,
+                        "lon": 151.2093
+                    },
+                    "postal_code": "2100",
+                    "region_name": "New South Wales",
+                    "timezone": "America/New_York"
+                },
+                "ip": "81.2.69.193",
+                "port": 1144
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "subject": "ALERT: Suspicious Activity"
+            },
+            "event": {
+                "action": "bypass",
+                "id": "5182808a2a99fc688d4a8157",
+                "kind": "alert",
+                "original": "{ \"_id\": \"5182808a2a99fc688d4a8157\", \"access_method\": \"Client\", \"account_id\": \"533708960054\", \"account_name\": \"csa-rules-setup\", \"acked\": \"false\", \"action\": \"bypass\", \"activity\": \"Login Failed\", \"alert\": \"yes\", \"alert_id\": \"314eba43aa95c8ea4f7416732e2c1921\", \"alert_name\": \"[CASB] Alert on Upload and Download for Sensitive Keywords in Cloud Storage\", \"alert_source\": \"Malware\", \"alert_type\": \"anomaly\", \"app\": \"Google Drive\", \"app_session_id\": 130464223392977, \"appcategory\": \"Productivity\", \"appsuite\": \"Google Workspace\", \"breach_date\": 1700352377, \"breach_id\": \"e8bcc837615516de9d338403caa57ad0\", \"breach_score\": \"80\", \"browser\": \"Firefox\", \"browser_session_id\": 6013040120128863784, \"cci\": 32, \"ccl\": \"good\", \"client_bytes\": 3613917, \"conn_duration\": 48, \"conn_endtime\": 1700352377, \"conn_starttime\": 1700352377, \"connection_id\": 5047636402716175951, \"custom_attr\": { \"usr_udf_primarydomain\": \"MWI.INTERNAL\", \"usr_status\": \"Active\", \"usr_udf_businesssegmentlevel3\": \"Animal Health\", \"usr_udf_companyname\": \"MWI Veterinary Supply Company\" }, \"device\": \"Mac Device\", \"device_classification\": \"managed\", \"dlp_file\": \"file2.data\", \"dlp_incident_id\": 5593408369243076226, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 6398957211952493729, \"dlp_profile\": \"PII_Profile\", \"dlp_rule\": \"PCI Data\", \"dlp_rule_count\": 1268, \"dlp_rule_severity\": \"High\", \"dlp_unique_count\": 387, \"dns_profile\": \"dns profile 2\", \"domain\": \"us-sonpo.my.test.com\", \"domain_ip\": \"81.2.69.193\", \"dst_country\": \"US\", \"dst_geoip_src\": 1, \"dst_latitude\": -33.8688, \"dst_location\": \"Nishikata\", \"dst_longitude\": 151.2093, \"dst_region\": \"New South Wales\", \"dst_timezone\": \"America/New_York\", \"dst_zipcode\": \"2100\", \"dsthost\": \"ftp.efgh.com\", \"dstip\": \"81.2.69.193\", \"dstport\": 1144, \"email_title\": \"ALERT: Suspicious Activity\", \"event_uuid\": \"b9874d0e-c68a-4917-90aa-4c3c2ed3d2df\", \"file_cls_encrypted\": false, \"file_exposure\": \"Public\", \"file_path\": \"/home/username/Documents/file2.txt\", \"file_size\": 1, \"file_type\": \"PDF document\", \"from_user\": \"user2@autotest99.com\", \"hostname\": \"C02GH1DMMD6O\", \"iaas_remediated\": \"false\", \"iaas_remediated_by\": \"admin@democompany.com\", \"iaas_remediated_on\": 1565244617, \"iaas_remediation_action\": \"Remove user access\", \"instance\": \"Salesforce\", \"instance_id\": \"clearview farm\", \"instance_name\": \"adminscope\", \"loc\": \"IN\", \"local_sha1\": \"835b7286727edfbc20eae7e81405fe0a8c4bd303\", \"mal_id\": \"30520723a5b106e6d0aea46a87a35a5g\", \"mal_type\": \"Malware\", \"managed_app\": \"no\", \"managementID\": \"5E2156872C1791458F39A3B0AC3303E6\", \"md5\": \"5a00bef704579c065e188ce8a11b7d54\", \"mime_type\": \"application/pdf\", \"netskope_pop\": \"US-NYC1\", \"nsdeviceuid\": \"BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9F\", \"numbytes\": 10621991, \"object\": \"Document2.pdf\", \"object_id\": \"e2771328-dcfe-4dd9-bd0d-7947f247057b\", \"object_type\": \"Document\", \"org\": \"example.com\", \"organization_unit\": \"netskope.local/Netskope/Active Users/EMEA/Full Time\", \"os\": \"Windows 10\", \"os_family\": \"Windows Server\", \"os_version\": \"iOS 16.5\", \"owner\": \"owner2@dummycompnay.com.mx\", \"page\": \"www.google.com\", \"parent_id\": \"/personal/ukrishnan_hudsoninsgroup_com/Documents/Surety%20Data%20Recon\", \"policy\": \"Block Social Media\", \"pop_id\": \"0X0009\", \"record_type\": \"alert\", \"referer\": \"https://www.example.com/\", \"region_id\": \"us-west-1\", \"region_name\": \"US West(California)\", \"req_cnt\": 1478, \"request_id\": 2780503102603051008, \"resource_category\": \"Storage\", \"resource_group\": \"ResourceGroup2\", \"resp_cnt\": 2058, \"sa_profile_name\": \"Compliance Profile\", \"sa_rule_name\": \"Block All External Sharing\", \"sa_rule_severity\": \"Medium\", \"sanctioned_instance\": \"No\", \"server_bytes\": 1920410, \"severity\": \"High\", \"severity_level\": \"high\", \"sha256\": \"a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5794\", \"shared_domains\": \"example.com\", \"shared_with\": \"user2@autotest99.com\", \"sharedType\": \"private\", \"site\": \"site2\", \"src_country\": \"GE\", \"src_geoip_src\": 1, \"src_latitude\": -33.8688, \"src_location\": \"Jose Maria Morelos\", \"src_longitude\": 2.3522, \"src_region\": \"National Capital District (Port Moresby)\", \"src_timezone\": \"America/New_York\", \"src_zipcode\": \"2100\", \"srcip\": \"81.2.69.193\", \"subject\": \"2024 SF Materials - Molina CA DSNP\", \"suppression_count\": \"235\", \"telemetry_app\": \"app2\", \"threat_type\": \"malware\", \"timestamp\": 1708989086, \"traffic_type\": \"WebApp\", \"transaction_id\": 7147084621365701240, \"tss_mode\": \"offline\", \"two_factor_auth\": \"no\", \"type\": \"policy\", \"ur_normalized\": \"user2@autotest99.com\", \"url\": \"example.com/\", \"user\": \"user2@autotest99.com\", \"user_confidence_index\": 99, \"user_confidence_level\": \"medium\", \"user_id\": \"user2@autotest99.com\", \"useragent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\", \"usergroup\": \"//DynamicGroup//s_john\", \"userip\": \"192.168.1.3\", \"userkey\": \"user2@autotest99.com\", \"watchlist_name\": \"C Suite2\", \"web_url\": \"https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/file2.txt\" }",
+                "severity": 73,
+                "url": "https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/file2.txt"
+            },
+            "file": {
+                "hash": {
+                    "md5": "5a00bef704579c065e188ce8a11b7d54"
+                },
+                "mime_type": "application/pdf",
+                "path": "/home/username/Documents/file2.txt",
+                "size": 1,
+                "type": "PDF document"
+            },
+            "host": {
+                "domain": "us-sonpo.my.test.com",
+                "name": "C02GH1DMMD6O",
+                "os": {
+                    "family": "Windows Server",
+                    "full": "Windows 10",
+                    "version": "iOS 16.5"
+                }
+            },
+            "http": {
+                "request": {
+                    "referrer": "https://www.example.com/"
+                }
+            },
+            "netskope": {
+                "alert_v2": {
+                    "access_method": "Client",
+                    "account_id": "533708960054",
+                    "account_name": "csa-rules-setup",
+                    "acked": false,
+                    "activity": "Login Failed",
+                    "alert": "yes",
+                    "alert_id": "314eba43aa95c8ea4f7416732e2c1921",
+                    "alert_source": "Malware",
+                    "alert_type": "anomaly",
+                    "app_session_id": "130464223392977",
+                    "appcategory": "Productivity",
+                    "appsuite": "Google Workspace",
+                    "breach_date": "2023-11-19T00:06:17.000Z",
+                    "breach_id": "e8bcc837615516de9d338403caa57ad0",
+                    "breach_score": 80,
+                    "browser": "Firefox",
+                    "browser_session_id": "6013040120128863784",
+                    "cci": 32,
+                    "ccl": "good",
+                    "conn_duration": 48,
+                    "conn_endtime": "2023-11-19T00:06:17.000Z",
+                    "conn_starttime": "2023-11-19T00:06:17.000Z",
+                    "connection_id": "5047636402716175951",
+                    "custom_attr": {
+                        "usr_status": "Active",
+                        "usr_udf_businesssegmentlevel3": "Animal Health",
+                        "usr_udf_companyname": "MWI Veterinary Supply Company",
+                        "usr_udf_primarydomain": "MWI.INTERNAL"
+                    },
+                    "device": "Mac Device",
+                    "device_classification": "managed",
+                    "dlp_file": "file2.data",
+                    "dlp_incident_id": "5593408369243076226",
+                    "dlp_is_unique_count": false,
+                    "dlp_parent_id": "6398957211952493729",
+                    "dlp_profile": "PII_Profile",
+                    "dlp_rule": "PCI Data",
+                    "dlp_rule_count": 1268,
+                    "dlp_rule_severity": "High",
+                    "dlp_unique_count": 387,
+                    "dns_profile": "dns profile 2",
+                    "domain_ip": "81.2.69.193",
+                    "dst_geoip_src": 1,
+                    "dst_latitude": -33.8688,
+                    "dst_longitude": 151.2093,
+                    "event_uuid": "b9874d0e-c68a-4917-90aa-4c3c2ed3d2df",
+                    "file_cls_encrypted": false,
+                    "file_exposure": "Public",
+                    "from_user": "user2@autotest99.com",
+                    "iaas_remediated": false,
+                    "iaas_remediated_by": "admin@democompany.com",
+                    "iaas_remediated_on": 1565244617,
+                    "iaas_remediation_action": "Remove user access",
+                    "instance": "Salesforce",
+                    "instance_id": "clearview farm",
+                    "instance_name": "adminscope",
+                    "loc": "IN",
+                    "mal_id": "30520723a5b106e6d0aea46a87a35a5g",
+                    "mal_type": "Malware",
+                    "managed_app": "no",
+                    "managementID": "5E2156872C1791458F39A3B0AC3303E6",
+                    "netskope_pop": "US-NYC1",
+                    "nsdeviceuid": "BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9F",
+                    "numbytes": 10621991,
+                    "object": "Document2.pdf",
+                    "object_id": "e2771328-dcfe-4dd9-bd0d-7947f247057b",
+                    "object_type": "Document",
+                    "organization_unit": "netskope.local/Netskope/Active Users/EMEA/Full Time",
+                    "owner": "owner2@dummycompnay.com.mx",
+                    "page": "www.google.com",
+                    "parent_id": "/personal/ukrishnan_hudsoninsgroup_com/Documents/Surety%20Data%20Recon",
+                    "policy": "Block Social Media",
+                    "pop_id": "0X0009",
+                    "record_type": "alert",
+                    "region_id": "us-west-1",
+                    "region_name": "US West(California)",
+                    "req_cnt": 1478,
+                    "request_id": "2780503102603051008",
+                    "resource_category": "Storage",
+                    "resource_group": "ResourceGroup2",
+                    "resp_cnt": 2058,
+                    "sa_profile_name": "Compliance Profile",
+                    "sa_rule_name": "Block All External Sharing",
+                    "sa_rule_severity": "Medium",
+                    "sanctioned_instance": "No",
+                    "severity_level": "high",
+                    "sha256": "a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5794",
+                    "sharedType": "private",
+                    "shared_domains": "example.com",
+                    "shared_with": "user2@autotest99.com",
+                    "site": "site2",
+                    "src_geoip_src": 1,
+                    "src_latitude": -33.8688,
+                    "src_longitude": 2.3522,
+                    "subject": "2024 SF Materials - Molina CA DSNP",
+                    "suppression_count": "235",
+                    "telemetry_app": "app2",
+                    "threat_type": "malware",
+                    "traffic_type": "WebApp",
+                    "transaction_id": "7147084621365701240",
+                    "tss_mode": "offline",
+                    "two_factor_auth": "no",
+                    "type": "policy",
+                    "ur_normalized": "user2@autotest99.com",
+                    "user_confidence_index": 99,
+                    "user_confidence_level": "medium",
+                    "userip": "192.168.1.3",
+                    "userkey": "user2@autotest99.com",
+                    "watchlist_name": "C Suite2"
+                }
+            },
+            "network": {
+                "application": "google drive"
+            },
+            "organization": {
+                "name": "example.com"
+            },
+            "process": {
+                "hash": {
+                    "sha1": "835b7286727edfbc20eae7e81405fe0a8c4bd303"
+                }
+            },
+            "related": {
+                "hash": [
+                    "835b7286727edfbc20eae7e81405fe0a8c4bd303",
+                    "5a00bef704579c065e188ce8a11b7d54"
+                ],
+                "hosts": [
+                    "us-sonpo.my.test.com",
+                    "ftp.efgh.com",
+                    "Public",
+                    "C02GH1DMMD6O"
+                ],
+                "ip": [
+                    "81.2.69.193",
+                    "192.168.1.3"
+                ],
+                "user": [
+                    "user2@autotest99.com",
+                    "//DynamicGroup//s_john"
+                ]
+            },
+            "rule": {
+                "name": "[CASB] Alert on Upload and Download for Sensitive Keywords in Cloud Storage"
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Jose Maria Morelos",
+                    "country_iso_code": "GE",
+                    "location": {
+                        "lat": -33.8688,
+                        "lon": 2.3522
+                    },
+                    "postal_code": "2100",
+                    "region_name": "National Capital District (Port Moresby)",
+                    "timezone": "America/New_York"
+                },
+                "ip": "81.2.69.193"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "original": "example.com/"
+            },
+            "user": {
+                "email": "user2@autotest99.com",
+                "group": {
+                    "name": "//DynamicGroup//s_john"
+                },
+                "id": "user2@autotest99.com"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Mac"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
+                "os": {
+                    "full": "Mac OS X 10.15.7",
+                    "name": "Mac OS X",
+                    "version": "10.15.7"
+                },
+                "version": "119.0.0.0"
+            }
+        },
+        {
+            "@timestamp": "2024-02-26T23:11:27.000Z",
+            "client": {
+                "bytes": 3613918
+            },
+            "destination": {
+                "bytes": 1920411,
+                "domain": "ftp.ijkl.com",
+                "geo": {
+                    "city_name": "Otemachi",
+                    "country_iso_code": "GB",
+                    "location": {
+                        "lat": 51.5074,
+                        "lon": 2.3522
+                    },
+                    "postal_code": "2101",
+                    "region_name": "Queensland",
+                    "timezone": "Europe/London"
+                },
+                "ip": "81.2.69.194",
+                "port": 1145
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "subject": "INFO: Policy Update"
+            },
+            "event": {
+                "action": "anomaly_detection",
+                "id": "5182808a2a99fc688d4a8457",
+                "kind": "alert",
+                "original": "{ \"_id\": \"5182808a2a99fc688d4a8457\", \"access_method\": \"Reverse Proxy\", \"account_id\": \"933700o60054\", \"account_name\": \"temp-account-for-validation\", \"action\": \"anomaly_detection\", \"activity\": \"Login Attempt\", \"alert\": \"yes\", \"alert_id\": \"43525800130c88d901885c2de6e7927d\", \"alert_name\": \"Block All\", \"alert_source\": \"Policy\", \"alert_type\": \"malware\", \"app\": \"Box\", \"app_session_id\": 130464223392978, \"appcategory\": \"Social Networking\", \"appsuite\": \"Zoho\", \"breach_date\": 1700352378, \"breach_id\": \"e8bcc837615516de9d338403caa57ad1\", \"breach_score\": \"90\", \"browser\": \"Safari\", \"browser_session_id\": 6013040120128863785, \"cci\": 33, \"ccl\": \"fair\", \"client_bytes\": 3613918, \"conn_duration\": 49, \"conn_endtime\": 1700352378, \"conn_starttime\": 1700352378, \"connection_id\": 5047636402716175952, \"custom_attr\": { \"usr_udf_supervisorname\": \"Wade Johnson\", \"usr_udf_businesssegmentlevel2\": \"Global Commercialization Service &amp; Animal Health (C&amp;A)\", \"usr_udf_businesssegmentlevel3\": \"Animal Health\" }, \"device\": \"Linux Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"file3.data\", \"dlp_incident_id\": 5593408369243076227, \"dlp_parent_id\": 6398957211952493730, \"dlp_profile\": \"HIPAA_Profile\", \"dlp_rule\": \"SSN\", \"dlp_rule_count\": 1269, \"dlp_rule_severity\": \"Medium\", \"dlp_unique_count\": 388, \"dns_profile\": \"dns profile 3\", \"domain\": \"eu-sonpo.my.test.com\", \"domain_ip\": \"81.2.69.194\", \"dst_country\": \"GB\", \"dst_geoip_src\": 2, \"dst_latitude\": 51.5074, \"dst_location\": \"Otemachi\", \"dst_longitude\": 2.3522, \"dst_region\": \"Queensland\", \"dst_timezone\": \"Europe/London\", \"dst_zipcode\": \"2101\", \"dsthost\": \"ftp.ijkl.com\", \"dstip\": \"81.2.69.194\", \"dstport\": 1145, \"email_title\": \"INFO: Policy Update\", \"event_uuid\": \"b9874d0e-c68a-4917-90aa-4c3c2ed3d2dg\", \"file_cls_encrypted\": false, \"file_exposure\": \"Internal\", \"file_path\": \"/home/username/Documents/file3.txt\", \"file_size\": 2, \"file_type\": \"Word document\", \"from_user\": \"user3@autotest99.com\", \"hostname\": \"C02GH1DMMD6P\", \"iaas_remediated_by\": \"user@democompany.com\", \"iaas_remediated_on\": 1565244618, \"iaas_remediation_action\": \"Update firewall rule\", \"instance\": \"Workday\", \"instance_id\": \"Кириченко Виктор\", \"instance_name\": \"testing-microsoft-account\", \"loc\": \"GB\", \"local_sha1\": \"835b7286727edfbc20eae7e81405fe0a8c4bd304\", \"mal_id\": \"30520723a5b106e6d0aea46a87a35a5h\", \"mal_type\": \"Adware\", \"managementID\": \"5E2156872C1791458F39A3B0AC3303E7\", \"md5\": \"5a00bef704579c065e188ce8a11b7d55\", \"mime_type\": \"application/msword\", \"netskope_pop\": \"EU-FRA1\", \"nsdeviceuid\": \"BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9G\", \"numbytes\": 10621992, \"object\": \"Presentation3.pptx\", \"object_id\": \"e2771328-dcfe-4dd9-bd0d-7947f247057c\", \"object_type\": \"Spreadsheet\", \"org\": \"sample.org\", \"organization_unit\": \"netskope.local/Netskope/Active Users/APAC/Full Time\", \"os\": \"Linux Ubuntu 20.04\", \"os_family\": \"MacOS\", \"os_version\": \"iOS 15.4.1\", \"owner\": \"owner3@dummycompnay.com.mx\", \"page\": \"www.facebook.com\", \"parent_id\": \"/sites/HudsonHeraclesTeam/Shared%20Documents/General/02%20-%20Inception/Inception/Deliverables/Backlog\", \"policy\": \"Allow All\", \"pop_id\": \"0X0010\", \"record_type\": \"incident\", \"referer\": \"https://www.sample.com/\", \"region_id\": \"eu-central-1\", \"region_name\": \"EU Central(Frankfurt)\", \"req_cnt\": 1438, \"request_id\": 2780503109422989312, \"resource_category\": \"Compute\", \"resource_group\": \"ResourceGroup3\", \"resp_cnt\": 2059, \"sa_profile_name\": \"Risk Profile\", \"sa_rule_name\": \"Allow Only Internal Access\", \"sa_rule_severity\": \"Low\", \"sanctioned_instance\": \"No\", \"server_bytes\": 1920411, \"severity\": \"critical\", \"severity_level\": \"low\", \"sha256\": \"a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5795\", \"shared_domains\": \"sample.com\", \"shared_with\": \"user3@autotest99.com\", \"sharedType\": \"internal\", \"site\": \"site3\", \"src_country\": \"FI\", \"src_geoip_src\": 2, \"src_latitude\": 51.5074, \"src_location\": \"Buenavista\", \"src_longitude\": 2.3522, \"src_region\": \"Astana\", \"src_timezone\": \"Europe/London\", \"src_zipcode\": \"2101\", \"srcip\": \"81.2.69.194\", \"subject\": \"2023 SF Materials - Molina TX DSNP\", \"suppression_count\": \"236\", \"telemetry_app\": \"app3\", \"threat_type\": \"phishing\", \"timestamp\": 1708989087, \"traffic_type\": \"Network\", \"transaction_id\": 7147084621365701241, \"tss_mode\": \"hybrid\", \"type\": \"malware\", \"ur_normalized\": \"user3@autotest99.com\", \"url\": \"sample.com/\", \"user\": \"user3@autotest99.com\", \"user_confidence_index\": 98, \"user_confidence_level\": \"low\", \"user_id\": \"user3@autotest99.com\", \"useragent\": \"Microsoft Office OneNote/16.62.611.0 (Mac OS/13.6; Desktop; en-GB; AppStore; Apple/MacBookPro16,1)\", \"usergroup\": \"//DynamicGroup//s_jane\", \"userip\": \"192.168.1.4\", \"userkey\": \"user3@autotest99.com\", \"watchlist_name\": \"C Suite1\", \"web_url\": \"https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/file3.txt\" }",
+                "severity": 99,
+                "url": "https://netskopepmskope-my.sharepoint.com/personal/admin_netskopepmskope_onmicrosoft_com2/Documents/file3.txt"
+            },
+            "file": {
+                "hash": {
+                    "md5": "5a00bef704579c065e188ce8a11b7d55"
+                },
+                "mime_type": "application/msword",
+                "path": "/home/username/Documents/file3.txt",
+                "size": 2,
+                "type": "Word document"
+            },
+            "host": {
+                "domain": "eu-sonpo.my.test.com",
+                "name": "C02GH1DMMD6P",
+                "os": {
+                    "family": "MacOS",
+                    "full": "Linux Ubuntu 20.04",
+                    "version": "iOS 15.4.1"
+                }
+            },
+            "http": {
+                "request": {
+                    "referrer": "https://www.sample.com/"
+                }
+            },
+            "netskope": {
+                "alert_v2": {
+                    "access_method": "Reverse Proxy",
+                    "account_id": "933700o60054",
+                    "account_name": "temp-account-for-validation",
+                    "activity": "Login Attempt",
+                    "alert": "yes",
+                    "alert_id": "43525800130c88d901885c2de6e7927d",
+                    "alert_source": "Policy",
+                    "alert_type": "malware",
+                    "app_session_id": "130464223392978",
+                    "appcategory": "Social Networking",
+                    "appsuite": "Zoho",
+                    "breach_date": "2023-11-19T00:06:18.000Z",
+                    "breach_id": "e8bcc837615516de9d338403caa57ad1",
+                    "breach_score": 90,
+                    "browser": "Safari",
+                    "browser_session_id": "6013040120128863785",
+                    "cci": 33,
+                    "ccl": "fair",
+                    "conn_duration": 49,
+                    "conn_endtime": "2023-11-19T00:06:18.000Z",
+                    "conn_starttime": "2023-11-19T00:06:18.000Z",
+                    "connection_id": "5047636402716175952",
+                    "custom_attr": {
+                        "usr_udf_businesssegmentlevel2": "Global Commercialization Service &amp; Animal Health (C&amp;A)",
+                        "usr_udf_businesssegmentlevel3": "Animal Health",
+                        "usr_udf_supervisorname": "Wade Johnson"
+                    },
+                    "device": "Linux Device",
+                    "device_classification": "unmanaged",
+                    "dlp_file": "file3.data",
+                    "dlp_incident_id": "5593408369243076227",
+                    "dlp_parent_id": "6398957211952493730",
+                    "dlp_profile": "HIPAA_Profile",
+                    "dlp_rule": "SSN",
+                    "dlp_rule_count": 1269,
+                    "dlp_rule_severity": "Medium",
+                    "dlp_unique_count": 388,
+                    "dns_profile": "dns profile 3",
+                    "domain_ip": "81.2.69.194",
+                    "dst_geoip_src": 2,
+                    "dst_latitude": 51.5074,
+                    "dst_longitude": 2.3522,
+                    "event_uuid": "b9874d0e-c68a-4917-90aa-4c3c2ed3d2dg",
+                    "file_cls_encrypted": false,
+                    "file_exposure": "Internal",
+                    "from_user": "user3@autotest99.com",
+                    "iaas_remediated_by": "user@democompany.com",
+                    "iaas_remediated_on": 1565244618,
+                    "iaas_remediation_action": "Update firewall rule",
+                    "instance": "Workday",
+                    "instance_id": "Кириченко Виктор",
+                    "instance_name": "testing-microsoft-account",
+                    "loc": "GB",
+                    "mal_id": "30520723a5b106e6d0aea46a87a35a5h",
+                    "mal_type": "Adware",
+                    "managementID": "5E2156872C1791458F39A3B0AC3303E7",
+                    "netskope_pop": "EU-FRA1",
+                    "nsdeviceuid": "BC5A83EE-5FF1-6F51-FDD1-84CAFBF60E9G",
+                    "numbytes": 10621992,
+                    "object": "Presentation3.pptx",
+                    "object_id": "e2771328-dcfe-4dd9-bd0d-7947f247057c",
+                    "object_type": "Spreadsheet",
+                    "organization_unit": "netskope.local/Netskope/Active Users/APAC/Full Time",
+                    "owner": "owner3@dummycompnay.com.mx",
+                    "page": "www.facebook.com",
+                    "parent_id": "/sites/HudsonHeraclesTeam/Shared%20Documents/General/02%20-%20Inception/Inception/Deliverables/Backlog",
+                    "policy": "Allow All",
+                    "pop_id": "0X0010",
+                    "record_type": "incident",
+                    "region_id": "eu-central-1",
+                    "region_name": "EU Central(Frankfurt)",
+                    "req_cnt": 1438,
+                    "request_id": "2780503109422989312",
+                    "resource_category": "Compute",
+                    "resource_group": "ResourceGroup3",
+                    "resp_cnt": 2059,
+                    "sa_profile_name": "Risk Profile",
+                    "sa_rule_name": "Allow Only Internal Access",
+                    "sa_rule_severity": "Low",
+                    "sanctioned_instance": "No",
+                    "severity_level": "low",
+                    "sha256": "a52b02bf2f91163f17e3e6bb751a94d3f2411bb726c2c731681892e943ef5795",
+                    "sharedType": "internal",
+                    "shared_domains": "sample.com",
+                    "shared_with": "user3@autotest99.com",
+                    "site": "site3",
+                    "src_geoip_src": 2,
+                    "src_latitude": 51.5074,
+                    "src_longitude": 2.3522,
+                    "subject": "2023 SF Materials - Molina TX DSNP",
+                    "suppression_count": "236",
+                    "telemetry_app": "app3",
+                    "threat_type": "phishing",
+                    "traffic_type": "Network",
+                    "transaction_id": "7147084621365701241",
+                    "tss_mode": "hybrid",
+                    "type": "malware",
+                    "ur_normalized": "user3@autotest99.com",
+                    "user_confidence_index": 98,
+                    "user_confidence_level": "low",
+                    "userip": "192.168.1.4",
+                    "userkey": "user3@autotest99.com",
+                    "watchlist_name": "C Suite1"
+                }
+            },
+            "network": {
+                "application": "box"
+            },
+            "organization": {
+                "name": "sample.org"
+            },
+            "process": {
+                "hash": {
+                    "sha1": "835b7286727edfbc20eae7e81405fe0a8c4bd304"
+                }
+            },
+            "related": {
+                "hash": [
+                    "835b7286727edfbc20eae7e81405fe0a8c4bd304",
+                    "5a00bef704579c065e188ce8a11b7d55"
+                ],
+                "hosts": [
+                    "eu-sonpo.my.test.com",
+                    "ftp.ijkl.com",
+                    "Internal",
+                    "C02GH1DMMD6P"
+                ],
+                "ip": [
+                    "81.2.69.194",
+                    "192.168.1.4"
+                ],
+                "user": [
+                    "user3@autotest99.com",
+                    "//DynamicGroup//s_jane"
+                ]
+            },
+            "rule": {
+                "name": "Block All"
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Buenavista",
+                    "country_iso_code": "FI",
+                    "location": {
+                        "lat": 51.5074,
+                        "lon": 2.3522
+                    },
+                    "postal_code": "2101",
+                    "region_name": "Astana",
+                    "timezone": "Europe/London"
+                },
+                "ip": "81.2.69.194"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "original": "sample.com/"
+            },
+            "user": {
+                "email": "user3@autotest99.com",
+                "group": {
+                    "name": "//DynamicGroup//s_jane"
+                },
+                "id": "user3@autotest99.com"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Mac"
+                },
+                "name": "Other",
+                "original": "Microsoft Office OneNote/16.62.611.0 (Mac OS/13.6; Desktop; en-GB; AppStore; Apple/MacBookPro16,1)"
+            }
+        }
+    ]
+}
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-common-config.yml b/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..4da22641654
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-default-config.yml b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..a28d767c0f2
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-default-config.yml
@@ -0,0 +1,13 @@
+input: aws-s3
+wait_for_data_timeout: 20m
+vars:
+  access_key_id: "{{AWS_ACCESS_KEY_ID}}"
+  secret_access_key: "{{AWS_SECRET_ACCESS_KEY}}"
+  session_token: "{{AWS_SESSION_TOKEN}}"
+data_stream:
+  vars:
+    queue_url: "{{TF_OUTPUT_queue_url}}"
+    preserve_original_event: true
+    csv_comma: ","
+assert:
+  hit_count: 3
diff --git a/packages/netskope/data_stream/alerts_v2/agent/stream/abs.yml.hbs b/packages/netskope/data_stream/alerts_v2/agent/stream/abs.yml.hbs
new file mode 100644
index 00000000000..3cd6928cbc6
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/agent/stream/abs.yml.hbs
@@ -0,0 +1,63 @@
+{{#if account_name}}
+account_name: {{account_name}}
+{{/if}}
+{{#if oauth2}}
+auth.oauth2:
+  client_id: {{client_id}}
+  client_secret: {{client_secret}}
+  tenant_id: {{tenant_id}}
+{{/if}}
+{{#if service_account_key}}
+auth.shared_credentials.account_key: {{service_account_key}}
+{{/if}}
+{{#if service_account_uri}}
+auth.connection_string.uri: {{service_account_uri}}
+{{/if}}
+{{#if storage_url}}
+storage_url: {{storage_url}}
+{{/if}}
+{{#if number_of_workers}}
+max_workers: {{number_of_workers}}
+{{/if}}
+{{#if poll}}
+poll: {{poll}}
+{{/if}}
+{{#if poll_interval}}
+poll_interval: {{poll_interval}}
+{{/if}}
+{{#if containers}}
+containers:
+{{containers}}
+{{/if}}
+{{#if file_selectors}}
+file_selectors:
+{{file_selectors}}
+{{/if}}
+
+decoding.codec.csv:
+  enabled: true
+  comma: "{{csv_comma}}"
+
+{{#if timestamp_epoch}}
+timestamp_epoch: {{timestamp_epoch}}
+{{/if}}
+{{#if expand_event_list_from_field}}
+expand_event_list_from_field: {{expand_event_list_from_field}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/netskope/data_stream/alerts_v2/agent/stream/aws-s3.yml.hbs b/packages/netskope/data_stream/alerts_v2/agent/stream/aws-s3.yml.hbs
new file mode 100644
index 00000000000..9eb26626674
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,98 @@
+{{#if collect_s3_logs}}
+
+{{#if bucket_arn}}
+bucket_arn: {{bucket_arn}}
+{{/if}}
+{{#if number_of_workers}}
+number_of_workers: {{number_of_workers}}
+{{/if}}
+{{#if interval}}
+bucket_list_interval: {{interval}}
+{{/if}}
+{{#if bucket_list_prefix}}
+bucket_list_prefix: {{bucket_list_prefix}}
+{{/if}}
+
+{{else}}
+
+{{#if queue_url}}
+queue_url: {{queue_url}}
+{{/if}}
+{{#if region}}
+region: {{region}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+{{#if file_selectors}}
+file_selectors:
+{{file_selectors}}
+{{/if}}
+
+{{/if}}
+
+decoding.codec.csv:
+  enabled: true
+  comma: "{{csv_comma}}"
+
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if external_id}}
+external_id: {{external_id}}
+{{/if}}
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+tags:
+{{#if collect_s3_logs}}
+  - collect_s3_logs
+{{else}}
+  - collect_sqs_logs
+{{/if}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs b/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs
new file mode 100644
index 00000000000..ace8b345421
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs
@@ -0,0 +1,43 @@
+{{#if project_id}}
+project_id: {{project_id}}
+{{/if}}
+{{#if service_account_key}}
+auth.credentials_json.account_key: {{service_account_key}}
+{{/if}}
+{{#if service_account_file}}
+auth.credentials_file.path: {{service_account_file}}
+{{/if}}
+{{#if number_of_workers}}
+max_workers: {{number_of_workers}}
+{{/if}}
+{{#if poll}}
+poll: {{poll}}
+{{/if}}
+{{#if poll_interval}}
+poll_interval: {{poll_interval}}
+{{/if}}
+{{#if bucket_timeout}}
+bucket_timeout: {{bucket_timeout}}
+{{/if}}
+{{#if buckets}}
+buckets:
+{{buckets}}
+{{/if}}
+
+decoding.codec.csv:
+  enabled: true
+  comma: "{{csv_comma}}"
+
+{{#if tags}}
+tags:
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..aa81283e42e
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1136 @@
+---
+description: Pipeline for processing alert v2 logs.
+processors:
+  - set:
+      field: ecs.version
+      tag: set_ecs_version
+      value: 8.11.0
+  - rename:
+      field: message
+      tag: rename_message_to_event_original
+      target_field: event.original
+      ignore_missing: true
+      description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+      if: ctx.event?.original == null
+  - remove:
+      field: message
+      tag: remove_message
+      ignore_missing: true
+      description: The `message` field is no longer required if the document has an `event.original` field.
+      if: ctx.event?.original != null
+  - json:
+      field: event.original
+      tag: json_event_original
+      target_field: netskope.alert_v2
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - drop:
+      tag: drop_event_logs
+      if: ctx.netskope?.alert_v2?.alert == "no" || ctx.netskope?.alert_v2?.alert == "-"
+  - script:
+      tag: script_to_drop_null_values
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |-
+        void handleMap(Map map) {
+          map.values().removeIf(v -> {
+            if (v instanceof Map) {
+              handleMap(v);
+            } else if (v instanceof List) {
+              handleList(v);
+            }
+            return v == null || v == '' || v == '-' || v == 'NotChecked' || v == 'NotAvailable' || v == 'NoSSL' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+          });
+        }
+        void handleList(List list) {
+          list.removeIf(v -> {
+            if (v instanceof Map) {
+              handleMap(v);
+            } else if (v instanceof List) {
+              handleList(v);
+            }
+            return v == null || v == '' || v == '-' || v == 'NotChecked' || v == 'NotAvailable' || v == 'NoSSL' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+          });
+        }
+        handleMap(ctx);
+  - json:
+      field: netskope.alert_v2.custom_attr
+      target_field: netskope.alert_v2.custom_attr
+      ignore_failure: true
+      if: ctx.netskope?.alert_v2?.custom_attr instanceof String || ctx.netskope?.alert_v2?.custom_attr instanceof Map
+  - set:
+      field: event.id
+      tag: set_event_id_from_alert_v2__id
+      copy_from: netskope.alert_v2._id
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.acked
+      tag: convert_acked_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.acked
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.dlp_is_unique_count
+      tag: convert_dlp_is_unique_count_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dlp_is_unique_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: event.action
+      tag: set_event_action_from_alert_v2_action
+      copy_from: netskope.alert_v2.action
+      ignore_empty_value: true
+  - lowercase:
+      field: event.action
+      tag: lowercase_event_action
+      ignore_missing: true
+  - split:
+      field: event.action
+      tag: split_event_action
+      separator: \s+
+      ignore_missing: true
+      if: ctx.event?.action != null && ctx.event.action != ''
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - join:
+      field: event.action
+      tag: join_event_action
+      separator: '-'
+      if: ctx.event?.action != null && ctx.event.action != ''
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: rule.name
+      tag: set_rule_name_from_alert_v2_alert_name
+      copy_from: netskope.alert_v2.alert_name
+      ignore_empty_value: true
+  - set:
+      field: network.application
+      tag: set_network_application_from_alert_v2_app
+      copy_from: netskope.alert_v2.app
+      ignore_empty_value: true
+  - lowercase:
+      field: network.application
+      tag: lowercase_network_application
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.total_packets
+      tag: convert_total_packets_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.total_packets
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: network.packets
+      tag: set_network_packets_from_alert_v2_total_packets
+      copy_from: netskope.alert_v2.total_packets
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.app_session_id
+      tag: convert_app_session_id_to_string
+      type: string
+      ignore_missing: true
+  - date:
+      field: netskope.alert_v2.breach_date
+      tag: date_breach_date
+      target_field: netskope.alert_v2.breach_date
+      formats:
+        - ISO8601
+        - UNIX
+        - epoch_second
+      if: ctx.netskope?.alert_v2?.breach_date != null && ctx.netskope.alert_v2.breach_date != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.breach_date
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.breach_score
+      tag: convert_breach_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.breach_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.browser_session_id
+      tag: convert_browser_session_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.cci
+      tag: convert_cci_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.cci
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.client_bytes
+      tag: convert_client_bytes_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.client_bytes
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: client.bytes
+      tag: set_client_bytes_from_alert_v2_client_bytes
+      copy_from: netskope.alert_v2.client_bytes
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.client_packets
+      tag: convert_client_packets_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.client_packets
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: client.packets
+      tag: set_client_packets_from_alert_v2_client_packets
+      copy_from: netskope.alert_v2.client_packets
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.conn_duration
+      tag: convert_conn_duration_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.conn_duration
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: netskope.alert_v2.conn_endtime
+      tag: date_conn_endtime
+      target_field: netskope.alert_v2.conn_endtime
+      formats:
+        - ISO8601
+        - UNIX
+        - epoch_second
+      if: ctx.netskope?.alert_v2?.conn_endtime != null && ctx.netskope.alert_v2.conn_endtime != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.conn_endtime
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: netskope.alert_v2.conn_starttime
+      tag: date_conn_starttime
+      target_field: netskope.alert_v2.conn_starttime
+      formats:
+        - ISO8601
+        - UNIX
+        - epoch_second
+      if: ctx.netskope?.alert_v2?.conn_starttime != null && ctx.netskope.alert_v2.conn_starttime != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.conn_starttime
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.connection_id
+      tag: convert_connection_id_to_long
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.dlp_incident_id
+      tag: convert_dlp_incident_id_to_long
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.dlp_parent_id
+      tag: convert_dlp_parent_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.dlp_rule_count
+      tag: convert_dlp_rule_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dlp_rule_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.dlp_unique_count
+      tag: convert_dlp_unique_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dlp_unique_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: host.domain
+      tag: set_host_domain_from_alert_v2_domain
+      copy_from: netskope.alert_v2.domain
+      ignore_empty_value: true
+  - append:
+      field: related.hosts
+      tag: append_alert_v2_domain_into_related_hosts
+      value: '{{{netskope.alert_v2.domain}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.domain != null
+  - convert:
+      field: netskope.alert_v2.domain_ip
+      tag: convert_domain_ip_to_ip
+      type: ip
+      ignore_missing: true
+      if: ctx.json?.domain_ip != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.domain_ip
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - append:
+      field: related.ip
+      tag: append_alert_v2_domain_ip_into_related_ip
+      value: '{{{netskope.alert_v2.domain_ip}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.domain_ip != null
+  - set:
+      field: destination.geo.country_iso_code
+      tag: set_destination_geo_country_iso_code_from_alert_v2_dst_country
+      copy_from: netskope.alert_v2.dst_country
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.dst_geoip_src
+      tag: convert_dst_geoip_src_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dst_geoip_src
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.dst_latitude
+      tag: convert_dst_latitude_to_double
+      type: double
+      ignore_missing: true
+      on_failure:
+        - rename:
+            field: netskope.alert_v2.dst_latitude
+            tag: rename_dst_latitude_to_dst_latitude_keyword
+            target_field: netskope.alert_v2.dst_latitude_keyword
+  - set:
+      field: destination.geo.location.lat
+      tag: set_destination_geo_location_from_dst_latitude
+      copy_from: netskope.alert_v2.dst_latitude
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.dst_longitude
+      tag: convert_dst_longitude_to_double
+      type: double
+      ignore_missing: true
+      on_failure:
+        - rename:
+            field: netskope.alert_v2.dst_longitude
+            tag: rename_dst_longitude_to_dst_longitude_keyword
+            target_field: netskope.alert_v2.dst_longitude_keyword
+  - set:
+      field: destination.geo.location.lon
+      tag: set_destination_geo_location_from_dst_longitude
+      copy_from: netskope.alert_v2.dst_longitude
+      ignore_empty_value: true
+  - remove:
+      field: destination.geo.location
+      if: >-
+        !(ctx.destination?.geo?.location?.lat instanceof double)
+        || !(ctx.destination.geo.location.lon instanceof double)
+        || ctx.destination.geo.location.lat < -90.0
+        || ctx.destination.geo.location.lat > 90.0
+        || ctx.destination.geo.location.lon < -180.0
+        || ctx.destination.geo.location.lon > 180.0
+      ignore_failure: true
+  - set:
+      field: destination.geo.city_name
+      tag: set_destination_geo_city_name_from_alert_v2_dst_location
+      copy_from: netskope.alert_v2.dst_location
+      ignore_empty_value: true
+  - set:
+      field: destination.geo.region_name
+      tag: set_destination_geo_region_name_from_alert_v2_dst_region
+      copy_from: netskope.alert_v2.dst_region
+      ignore_empty_value: true
+  - set:
+      field: destination.geo.timezone
+      tag: set_destination_geo_timezone_from_alert_v2_dst_timezone
+      copy_from: netskope.alert_v2.dst_timezone
+      ignore_empty_value: true
+  - set:
+      field: destination.geo.postal_code
+      tag: set_destination_geo_postal_code_from_alert_v2_dst_zipcode
+      copy_from: netskope.alert_v2.dst_zipcode
+      ignore_empty_value: true
+  - set:
+      field: destination.domain
+      tag: set_destination_domain_from_alert_v2_dsthost
+      copy_from: netskope.alert_v2.dsthost
+      ignore_empty_value: true
+  - append:
+      field: related.hosts
+      tag: append_alert_v2_dsthost_into_related_hosts
+      value: '{{{netskope.alert_v2.dsthost}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.dsthost != null
+  - convert:
+      field: netskope.alert_v2.dstip
+      tag: convert_dstip_to_ip
+      type: ip
+      ignore_missing: true
+      if: ctx.json?.dstip != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dstip
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: destination.ip
+      tag: set_destination_ip_from_alert_v2_dstip
+      copy_from: netskope.alert_v2.dstip
+      ignore_empty_value: true
+  - append:
+      field: related.ip
+      tag: append_alert_v2_dstip_into_related_ip
+      value: '{{{netskope.alert_v2.dstip}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.dstip != null
+  - convert:
+      field: netskope.alert_v2.dstport
+      tag: convert_dstport_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dstport
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: destination.port
+      tag: set_destination_port_from_alert_v2_dstport
+      copy_from: netskope.alert_v2.dstport
+      ignore_empty_value: true
+  - set:
+      field: email.subject
+      tag: set_email_subject_from_alert_v2_email_title
+      copy_from: netskope.alert_v2.email_title
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.file_cls_encrypted
+      tag: convert_file_cls_encrypted_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.file_cls_encrypted
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.executable_signed
+      tag: convert_executable_signed_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.executable_signed
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - append:
+      field: related.hosts
+      tag: append_alert_v2_file_exposure_into_related_hosts
+      value: '{{{netskope.alert_v2.file_exposure}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.file_exposure != null
+  - set:
+      field: file.path
+      tag: set_file_path_from_alert_v2_file_path
+      copy_from: netskope.alert_v2.file_path
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.file_size
+      tag: convert_file_size_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.file_size
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: file.size
+      tag: set_file_size_from_alert_v2_file_size
+      copy_from: netskope.alert_v2.file_size
+      ignore_empty_value: true
+  - set:
+      field: file.type
+      tag: set_file_type_from_alert_v2_file_type
+      copy_from: netskope.alert_v2.file_type
+      ignore_empty_value: true
+  - set:
+      field: host.name
+      tag: set_host_name_from_alert_v2_hostname
+      copy_from: netskope.alert_v2.hostname
+      ignore_empty_value: true
+  - append:
+      field: related.hosts
+      tag: append_alert_v2_hostname_into_related_hosts
+      value: '{{{netskope.alert_v2.hostname}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.hostname != null
+  - convert:
+      field: netskope.alert_v2.iaas_remediated
+      tag: convert_iaas_remediated_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.iaas_remediated
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.iaas_remediated_on
+      tag: convert_iaas_remediated_on_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.iaas_remediated_on
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: process.hash.md5
+      tag: set_process_hash_md5_from_alert_v2_local_md5
+      copy_from: netskope.alert_v2.local_md5
+      ignore_empty_value: true
+  - append:
+      field: related.hash
+      tag: append_alert_v2_local_md5_into_related_hash
+      value: '{{{netskope.alert_v2.local_md5}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.local_md5 != null
+  - set:
+      field: process.hash.sha1
+      tag: set_process_hash_sha1_from_alert_v2_local_sha1
+      copy_from: netskope.alert_v2.local_sha1
+      ignore_empty_value: true
+  - append:
+      field: related.hash
+      tag: append_alert_v2_local_sha1_into_related_hash
+      value: '{{{netskope.alert_v2.local_sha1}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.local_sha1 != null
+  - set:
+      field: process.hash.sha256
+      tag: set_process_hash_sha256_from_alert_v2_local_sha256
+      copy_from: netskope.alert_v2.local_sha256
+      ignore_empty_value: true
+  - append:
+      field: related.hash
+      tag: append_alert_v2_local_sha1_into_related_hash
+      value: '{{{netskope.alert_v2.local_sha256}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.local_sha256 != null
+  - set:
+      field: file.hash.md5
+      tag: set_file_hash_md5_from_alert_v2_md5
+      copy_from: netskope.alert_v2.md5
+      ignore_empty_value: true
+  - append:
+      field: related.hash
+      tag: append_alert_v2_md5_into_related_hash
+      value: '{{{netskope.alert_v2.md5}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.md5 != null
+  - set:
+      field: file.mime_type
+      tag: set_file_mime_type_from_alert_v2_mime_type
+      copy_from: netskope.alert_v2.mime_type
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.numbytes
+      tag: convert_numbytes_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.numbytes
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.dlp_fingerprint_score
+      tag: convert_dlp_fingerprint_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dlp_fingerprint_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.dlp_rule_score
+      tag: convert_dlp_rule_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.dlp_rule_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: organization.name
+      tag: set_organization_name_from_alert_v2_org
+      copy_from: netskope.alert_v2.org
+      ignore_empty_value: true
+  - set:
+      field: host.os.full
+      tag: set_host_os_full_from_alert_v2_os
+      copy_from: netskope.alert_v2.os
+      ignore_empty_value: true
+  - set:
+      field: host.os.family
+      tag: set_host_os_family_from_alert_v2_os_family
+      copy_from: netskope.alert_v2.os_family
+      ignore_empty_value: true
+  - set:
+      field: host.os.version
+      tag: set_host_os_version_from_alert_v2_os_version
+      copy_from: netskope.alert_v2.os_version
+      ignore_empty_value: true
+  - set:
+      field: http.request.referrer
+      tag: set_http_request_referrer_from_alert_v2_referer
+      copy_from: netskope.alert_v2.referer
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.req_cnt
+      tag: convert_req_cnt_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.req_cnt
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.request_id
+      tag: convert_request_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.resp_cnt
+      tag: convert_resp_cnt_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.resp_cnt
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.server_bytes
+      tag: convert_server_bytes_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.server_bytes
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: destination.bytes
+      tag: set_destination_bytes_from_alert_v2_server_bytes
+      copy_from: netskope.alert_v2.server_bytes
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.server_packets
+      tag: convert_server_packets_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.server_packets
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: server.packets
+      tag: set_server_packets_from_alert_v2_server_packets
+      copy_from: netskope.alert_v2.server_packets
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.session_duration
+      tag: convert_session_duration_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.session_duration
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.srcport
+      tag: convert_alert_v2_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.event_v2.alert_v2
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - script:
+      lang: painless
+      description: Script to set event.severity.
+      tag: set_event_severity
+      if: ctx.netskope?.alert_v2?.severity != null && ctx.netskope.alert_v2.severity instanceof String
+      source: |-
+        ctx.event = ctx.event ?: [:];
+        String risk_score_value = ctx.netskope.alert_v2.severity;
+        if (risk_score_value.equalsIgnoreCase("low") || risk_score_value.equalsIgnoreCase("informational")) {
+          ctx.event.severity = 21;
+        } else if (risk_score_value.equalsIgnoreCase("medium")) {
+          ctx.event.severity = 47;
+        } else if (risk_score_value.equalsIgnoreCase("high")) {
+          ctx.event.severity = 73;
+        } else if (risk_score_value.equalsIgnoreCase("critical")) {
+          ctx.event.severity = 99;
+        }
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: netskope.alert_v2.end_time
+      tag: date_end_time
+      target_field: netskope.alert_v2.end_time
+      formats:
+        - 'yyyy-MM-dd HH:mm:ss'
+        - ISO8601
+      if: ctx.netskope?.alert_v2?.end_time != null && ctx.netskope.alert_v2.end_time != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.end_time
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: event.end
+      tag: set_event_end_from_alert_v2_end_time
+      copy_from: netskope.alert_v2.end_time
+      ignore_empty_value: true
+  - date:
+      field: netskope.alert_v2.start_time
+      tag: date_start_time
+      target_field: netskope.alert_v2.start_time
+      formats:
+        - 'yyyy-MM-dd HH:mm:ss'
+        - ISO8601
+      if: ctx.netskope?.alert_v2?.start_time != null && ctx.netskope.alert_v2.start_time != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.start_time
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: event.start
+      tag: set_event_start_from_alert_v2_start_time
+      copy_from: netskope.alert_v2.start_time
+      ignore_empty_value: true
+  - set:
+      field: source.geo.country_iso_code
+      tag: set_source_geo_country_iso_code_from_alert_v2_src_country
+      copy_from: netskope.alert_v2.src_country
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.src_geoip_src
+      tag: convert_src_geoip_src_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.src_geoip_src
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: netskope.alert_v2.src_latitude
+      tag: convert_src_latitude_to_double
+      type: double
+      ignore_missing: true
+      on_failure:
+        - rename:
+            field: netskope.alert_v2.src_latitude
+            tag: rename_src_latitude_to_dst_latitude_keyword
+            target_field: netskope.alert_v2.src_latitude_keyword
+  - set:
+      field: source.geo.location.lat
+      tag: set_source_geo_location_from_src_latitude
+      copy_from: netskope.alert_v2.src_latitude
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.src_longitude
+      tag: convert_src_longitude_to_double
+      type: double
+      ignore_missing: true
+      on_failure:
+        - rename:
+            field: netskope.alert_v2.src_longitude
+            tag: rename_src_longitude_to_src_longitude_keyword
+            target_field: netskope.alert_v2.src_longitude_keyword
+  - set:
+      field: source.geo.location.lon
+      tag: set_source_geo_location_from_src_longitude
+      copy_from: netskope.alert_v2.src_longitude
+      ignore_empty_value: true
+  - remove:
+      field: source.geo.location
+      if: ctx.source?.geo?.location?.lat == null || ctx.source.geo.location?.lon == null || ctx.source.geo.location.lat < -90.0 || ctx.source.geo.location.lat > 90.0 || ctx.source.geo.location.lon < -180.0 || ctx.source.geo.location.lon > 180.0
+      ignore_failure: true
+  - set:
+      field: source.geo.city_name
+      tag: set_source_geo_city_name_from_alert_v2_src_location
+      copy_from: netskope.alert_v2.src_location
+      ignore_empty_value: true
+  - set:
+      field: source.geo.region_name
+      tag: set_source_geo_region_name_from_alert_v2_src_region
+      copy_from: netskope.alert_v2.src_region
+      ignore_empty_value: true
+  - set:
+      field: source.geo.timezone
+      tag: set_source_geo_timezone_from_alert_v2_src_timezone
+      copy_from: netskope.alert_v2.src_timezone
+      ignore_empty_value: true
+  - set:
+      field: source.geo.postal_code
+      tag: set_source_geo_postal_code_from_alert_v2_src_zipcode
+      copy_from: netskope.alert_v2.src_zipcode
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.srcip
+      tag: convert_srcip_to_ip
+      type: ip
+      ignore_missing: true
+      if: ctx.json?.srcip != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.srcip
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: source.ip
+      tag: set_source_ip_from_alert_v2_srcip
+      copy_from: netskope.alert_v2.srcip
+      ignore_empty_value: true
+  - append:
+      field: related.ip
+      tag: append_alert_v2_srcip_into_related_ip
+      value: '{{{netskope.alert_v2.srcip}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.srcip != null
+  - date:
+      field: netskope.alert_v2.timestamp
+      tag: date_timestamp
+      target_field: netskope.alert_v2.timestamp
+      formats:
+        - ISO8601
+        - UNIX
+        - epoch_second
+      if: ctx.netskope?.alert_v2?.timestamp != null && ctx.netskope.alert_v2.timestamp != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.timestamp
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: netskope.alert_v2.modified_date
+      tag: date_modified_date
+      target_field: netskope.alert_v2.modified_date
+      formats:
+        - ISO8601
+        - UNIX
+        - epoch_second
+      if: ctx.netskope?.alert_v2?.modified_date != null && ctx.netskope.alert_v2.modified_date != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.modified_date
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: '@timestamp'
+      tag: set_@timestamp_from_alert_v2_timestamp
+      copy_from: netskope.alert_v2.timestamp
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.transaction_id
+      tag: convert_transaction_id_to_string
+      type: string
+      ignore_missing: true
+  - set:
+      field: url.original
+      tag: set_url_original_from_alert_v2_url
+      copy_from: netskope.alert_v2.url
+      ignore_empty_value: true
+  - set:
+      field: user.email
+      tag: set_user_email_from_alert_v2_user
+      copy_from: netskope.alert_v2.user
+      ignore_empty_value: true
+  - append:
+      field: related.user
+      tag: append_alert_v2_user_into_related_user
+      value: '{{{netskope.alert_v2.user}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.user != null
+  - append:
+      field: related.user
+      tag: append_alert_v2_act_user_into_related_user
+      value: '{{{netskope.alert_v2.act_user}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.act_user != null
+  - append:
+      field: related.user
+      tag: append_alert_v2_to_user_into_related_user
+      value: '{{{netskope.alert_v2.to_user}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.to_user != null
+  - convert:
+      field: netskope.alert_v2.user_confidence_index
+      tag: convert_user_confidence_index_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.user_confidence_index
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: user.id
+      tag: set_user_id_from_alert_v2_user_id
+      copy_from: netskope.alert_v2.user_id
+      ignore_empty_value: true
+  - append:
+      field: related.user
+      tag: append_alert_v2_user_id_into_related_user
+      value: '{{{netskope.alert_v2.user_id}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.user_id != null
+  - user_agent:
+      field: netskope.alert_v2.useragent
+      if: ctx.netskope?.alert_v2?.useragent != null && ctx.netskope.alert_v2.useragent != ''
+      tag: 'user_agent_processor'
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: user.group.name
+      tag: set_user_group_name_from_alert_v2_usergroup
+      copy_from: netskope.alert_v2.usergroup
+      ignore_empty_value: true
+  - append:
+      field: related.user
+      tag: append_alert_v2_usergroup_into_related_user
+      value: '{{{netskope.alert_v2.usergroup}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.usergroup != null
+  - convert:
+      field: netskope.alert_v2.userip
+      tag: convert_userip_to_ip
+      type: ip
+      ignore_missing: true
+      if: ctx.json?.userip != ''
+      on_failure:
+        - remove:
+            field: netskope.alert_v2.userip
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - append:
+      field: related.ip
+      tag: append_alert_v2_userip_into_related_ip
+      value: '{{{netskope.alert_v2.userip}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.userip != null
+  - append:
+      field: related.user
+      tag: append_alert_v2_userkey_into_related_user
+      value: '{{{netskope.alert_v2.userkey}}}'
+      allow_duplicates: false
+      if: ctx.netskope?.alert_v2?.userkey != null
+  - set:
+      field: event.url
+      tag: set_event_url_from_alert_v2_web_url
+      copy_from: netskope.alert_v2.web_url
+      ignore_empty_value: true
+  - convert:
+      field: netskope.alert_v2.incident_id
+      tag: convert_incident_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.risk_level_id
+      tag: convert_risk_level_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.severity_id
+      tag: convert_severity_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.tunnel_id
+      tag: convert_tunnel_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: netskope.alert_v2.network_session_id
+      tag: convert_network_session_id_to_string
+      type: string
+      ignore_missing: true
+  - remove:
+      field:
+        - netskope.alert_v2._id
+        - netskope.alert_v2.action
+        - netskope.alert_v2.alert_name
+        - netskope.alert_v2.app
+        - netskope.alert_v2.client_bytes
+        - netskope.alert_v2.client_packets
+        - netskope.alert_v2.domain
+        - netskope.alert_v2.dst_country
+        - netskope.alert_v2.dst_location
+        - netskope.alert_v2.dst_region
+        - netskope.alert_v2.dst_timezone
+        - netskope.alert_v2.dst_zipcode
+        - netskope.alert_v2.dsthost
+        - netskope.alert_v2.dstip
+        - netskope.alert_v2.dstport
+        - netskope.alert_v2.email_title
+        - netskope.alert_v2.end_time
+        - netskope.alert_v2.file_path
+        - netskope.alert_v2.file_size
+        - netskope.alert_v2.file_type
+        - netskope.alert_v2.hostname
+        - netskope.alert_v2.local_md5
+        - netskope.alert_v2.local_sha1
+        - netskope.alert_v2.local_sha256
+        - netskope.alert_v2.md5
+        - netskope.alert_v2.mime_type
+        - netskope.alert_v2.org
+        - netskope.alert_v2.os
+        - netskope.alert_v2.os_family
+        - netskope.alert_v2.os_version
+        - netskope.alert_v2.referer
+        - netskope.alert_v2.server_bytes
+        - netskope.alert_v2.server_packets
+        - netskope.alert_v2.severity
+        - netskope.alert_v2.start_time
+        - netskope.alert_v2.src_country
+        - netskope.alert_v2.src_location
+        - netskope.alert_v2.src_region
+        - netskope.alert_v2.src_timezone
+        - netskope.alert_v2.src_zipcode
+        - netskope.alert_v2.srcip
+        - netskope.alert_v2.timestamp
+        - netskope.alert_v2.total_packets
+        - netskope.alert_v2.url
+        - netskope.alert_v2.user
+        - netskope.alert_v2.user_id
+        - netskope.alert_v2.useragent
+        - netskope.alert_v2.usergroup
+        - netskope.alert_v2.web_url
+      tag: remove_custom_duplicate_fields
+      ignore_missing: true
+      if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+  - remove:
+      field: json
+      tag: remove_json
+      ignore_missing: true
+  - set:
+      field: event.kind
+      tag: set_event_kind_to_alert
+      value: alert
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
+      if: ctx.error?.message != null
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - set:
+      field: event.kind
+      tag: set_pipeline_error_to_event_kind
+      value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/netskope/data_stream/alerts_v2/fields/base-fields.yml b/packages/netskope/data_stream/alerts_v2/fields/base-fields.yml
new file mode 100644
index 00000000000..c2fb3e0d9bc
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: "@timestamp"
+  external: ecs
+- name: event.module
+  type: constant_keyword
+  external: ecs
+  value: netskope
+- name: event.dataset
+  type: constant_keyword
+  external: ecs
+  value: netskope.alerts_v2
diff --git a/packages/netskope/data_stream/alerts_v2/fields/beats.yml b/packages/netskope/data_stream/alerts_v2/fields/beats.yml
new file mode 100644
index 00000000000..d9b1cd412fa
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/fields/beats.yml
@@ -0,0 +1,24 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
+- name: aws.s3
+  type: group
+  fields:
+    - name: bucket
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: The AWS S3 bucket name.
+        - name: arn
+          type: keyword
+          description: The AWS S3 bucket ARN.
+    - name: object
+      type: group
+      fields:
+        - name: key
+          type: keyword
+          description: The AWS S3 Object key.
diff --git a/packages/netskope/data_stream/alerts_v2/fields/fields.yml b/packages/netskope/data_stream/alerts_v2/fields/fields.yml
new file mode 100644
index 00000000000..fe231777fa6
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/fields/fields.yml
@@ -0,0 +1,690 @@
+- name: netskope
+  type: group
+  fields:
+    - name: alert_v2
+      type: group
+      fields:
+        - name: _id
+          type: keyword
+          description: Unique id - hexadecimal string.
+        - name: access_method
+          type: keyword
+          description: Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event.For log uploads this shows the actual log type such as PAN, Websense, etc.
+        - name: account_id
+          type: keyword
+          description: Account ID is an account number as provided by the cloud provider AWS, GCP and AZURE etc.
+        - name: account_name
+          type: keyword
+          description: Account name - in case of AWS this is the instance name set by user. For others, account name is provided by the cloud provider.
+        - name: acked
+          type: boolean
+          description: Whether user has acknowledged the alert or not.
+        - name: action
+          type: keyword
+          description: Action taken on the event for the policy.
+        - name: activity
+          type: keyword
+          description: Description of the user performed activity.
+        - name: act_user
+          type: keyword
+          description: Acting User is the user responsible for the configured policy violation.
+        - name: alert
+          type: keyword
+          description: Indicates whether alert is generated or not and its populated as yes for all alerts.
+        - name: alert_id
+          type: keyword
+          description: Indicates the alert is raised and the carries the id of the alert raised.
+        - name: alert_name
+          type: keyword
+          description: Indicates the alert is raised and the carries the name of the alert raised.
+        - name: alert_source
+          type: keyword
+          description: Indicates the alert is raised and the carries the Netskope solution name as source of the alert raised.
+        - name: alert_type
+          type: keyword
+          description: Indicates the alert is raised and the carries the type of the alert raised.
+        - name: app
+          type: keyword
+          description: Specific cloud application used by the user.
+        - name: app_session_id
+          type: keyword
+          description: Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 minutes). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain.
+        - name: appcategory
+          type: keyword
+          description: The application category.
+        - name: appsuite
+          type: keyword
+          description: 'The SAAS application suite ( Ex : Microsoft Office / Google Docs  etc ).'
+        - name: audit_type
+          type: keyword
+          description: The sub category in audit according to SaaS / IaaS apps.
+        - name: bcc
+          type: keyword
+          description: Breach target references for compromised credentials or BCC users information in the case of SMTP DLP incident.
+        - name: breach_date
+          type: date
+          description: Breach Metric date for compromised credentials.
+        - name: breach_id
+          type: keyword
+          description: Breach description for compromised credentials.
+        - name: breach_score
+          type: long
+          description: Breach score for compromised credentials.
+        - name: browser
+          type: keyword
+          description: Shows the actual browser from where the cloud app was accessed.A native browser refers to Safari (iOS), Chrome (Android), or the default browser on the user's laptop.
+        - name: browser_session_id
+          type: keyword
+          description: Browser Session Id.
+        - name: cc
+          type: keyword
+          description: SMTP Proxy will parse the cc field in the email and send them to DLP in the event object. The cc recipients from the e-mail header, up to 1KB.
+        - name: cci
+          type: long
+          description: Cloud confidence Index value as Integer.
+        - name: ccl
+          type: keyword
+          description: 'Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity.Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL.'
+        - name: client_bytes
+          type: long
+          description: Total number of bytes uploaded from client to server.
+        - name: client_packets
+          type: long
+          description: Total number of packets uploaded from client to server.
+        - name: computer_name
+          type: keyword
+          description: Computer name of the end point.
+        - name: conn_duration
+          type: long
+          description: Duration of the connection in milliseconds. Useful for querying long-lived sessions.
+        - name: conn_endtime
+          type: date
+          description: Connection end time.
+        - name: conn_starttime
+          type: date
+          description: Connection start time.
+        - name: connection_id
+          type: keyword
+          description: Each connection has a unique ID. Shows the ID for the connection event.
+        - name: connection_type
+          type: keyword
+          description: EndPoint DLP connection mode.
+        - name: custom_attr
+          type: group
+          description: A map containing all the custom attributes added by customer using ADImporter returned as key-value pair.
+          fields:
+            - name: usr_display_name
+              type: keyword
+              description: User display name from custom attributes.
+            - name: usr_status
+              type: keyword
+              description: User status from custom attributes.
+            - name: usr_title
+              type: keyword
+              description: User title from custom attributes.
+            - name: usr_udf_businesssegmentlevel2
+              type: keyword
+              description: Business segment level 2 from custom attributes.
+            - name: usr_udf_businesssegmentlevel3
+              type: keyword
+              description: Business segment level 3 from custom attributes.
+            - name: usr_udf_companyname
+              type: keyword
+              description: Company name from custom attributes.
+            - name: usr_udf_employeeid
+              type: keyword
+              description: Employee ID from custom attributes.
+            - name: usr_udf_primarydomain
+              type: keyword
+              description: Primary domain from custom attributes.
+            - name: usr_udf_supervisorname
+              type: keyword
+              description: Supervisor name from custom attributes.
+        - name: destination_file_directory
+          type: keyword
+          description: The directory and filename of the destination file on the endpoint.
+        - name: destination_file_name
+          type: keyword
+          description: Endpoint DLP destination file name.
+        - name: destination_file_path
+          type: keyword
+          description: Endpoint DLP destination file path.
+        - name: device
+          type: keyword
+          description: Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc.
+        - name: device_classification
+          type: keyword
+          description: Designation of device as determined by the Netskope Client as to whether the device is managed or not.
+        - name: device_sn
+          type: keyword
+          description: Device serial number.
+        - name: device_type
+          type: keyword
+          description: Device type.
+        - name: detection_engine
+          type: keyword
+          description: Threat Detection engine name.
+        - name: dlp_file
+          type: keyword
+          description: File/Object name extracted from the file/object.
+        - name: dlp_fingerprint_classification
+          type: keyword
+          description: Fingerprint classification.
+        - name: dlp_fingerprint_match
+          type: keyword
+          description: Fingerprint classification match file name.
+        - name: dlp_fingerprint_score
+          type: long
+          description: Fingerprint classification score
+        - name: dlp_incident_id
+          type: keyword
+          description: Incident ID associated with sub-file in DLP scans. In the case of main file, this is same as the parent incident ID.
+        - name: dlp_is_unique_count
+          type: boolean
+          description: True or false depending upon if rule is unique counted per rule data.
+        - name: dlp_parent_id
+          type: keyword
+          description: Incident ID associated with main container (or non-container) file that was scanned.
+        - name: dlp_profile
+          type: keyword
+          description: DLP profile name.
+        - name: dlp_profile_name
+          type: keyword
+          description: DLP profile name.
+        - name: dlp_rule
+          type: keyword
+          description: DLP rule that triggered the scans.
+        - name: dlp_rule_count
+          type: long
+          description: Count of dlp rule hits.
+        - name: dlp_rule_severity
+          type: keyword
+          description: Severity of DLP rule.
+        - name: dlp_rule_score
+          type: long
+          description: DLP rule score for weighted dictionaries.
+        - name: dlp_unique_count
+          type: long
+          description: Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted.
+        - name: dns_profile
+          type: keyword
+          description: DNS profiles allow you to control, inspect, and log all or blocked DNS traffic. When configuring a DNS profile, you can configure the actions taken for specific domain categories and choose to allow or block specific domains. This field contains the configuration file name.
+        - name: domain
+          type: keyword
+          description: Domain value. This will hold the host header value or SNI or extracted from absolute URI.
+        - name: domain_ip
+          type: ip
+          description: Domain IP address.
+        - name: dst_country
+          type: keyword
+          description: Application's two-letter country code as determined by the Maxmind or IP2Location Geo Database.
+        - name: dst_geoip_src
+          type: long
+          description: Source from where the location of Destination IP was derived.
+        - name: dst_latitude
+          type: double
+          description: Latitude of the Application as determined by the Maxmind or IP2Location Geo Database.
+        - name: dst_latitude_keyword
+          type: keyword
+        - name: dst_location
+          type: keyword
+          description: Application's city as determined by the Maxmind or IP2Location Geo database.
+        - name: dst_longitude
+          type: double
+          description: Longitude of the Application as determined by the Maxmind or IP2Location Geo Database.
+        - name: dst_longitude_keyword
+          type: keyword
+        - name: dst_region
+          type: keyword
+          description: Application's state or region as determined by the Maxmind or IP2Location Geo Database.
+        - name: dst_timezone
+          type: keyword
+          description: Destination timezone.
+        - name: dst_zipcode
+          type: keyword
+          description: Application's zip code as determined by the Maxmind or IP2Location Geo Database.
+        - name: dsthost
+          type: keyword
+          description: Destination host.
+        - name: dstip
+          type: ip
+          description: IP address where the destination app is hosted.
+        - name: dstport
+          type: long
+          description: Destination port.
+        - name: driver
+          type: keyword
+          description: Driver name used by endpoint device.
+        - name: end_time
+          type: date
+          description: When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.
+        - name: email_title
+          type: keyword
+          description: Email subject.
+        - name: event_uuid
+          type: keyword
+          description: Unique ID to recognize applation event activities.
+        - name: executable_hash
+          type: keyword
+          description: Flag to indicate if executable_hash is signed or not.
+        - name: executable_signed
+          type: boolean
+          description: Flag to indicate if executable_hash is signed or not.
+        - name: filename
+          type: keyword
+          description: Filename found during Malware threat detection.
+        - name: file_category
+          type: keyword
+          description: Type of file category.
+        - name: file_cls_encrypted
+          type: boolean
+          description: Its a boolean value representing  whether its CLS encrypted or not.
+        - name: file_exposure
+          type: keyword
+          description: File sharing exposure value for SaaS apps.
+        - name: file_id
+          type: keyword
+          description: Unique file id to recognize the file.
+        - name: file_origin
+          type: keyword
+          description: File origin source location.
+        - name: file_path
+          type: keyword
+          description: Path of the file in the application.
+        - name: file_size
+          type: long
+          description: Size of the file in bytes.
+        - name: file_type
+          type: keyword
+          description: File type as detected by Netskope Solutions.
+        - name: from_user
+          type: keyword
+          description: Email address used to login to the SAAS app.
+        - name: hostname
+          type: keyword
+          description: User's Host name.
+        - name: iaas_remediated
+          type: boolean
+          description: value representing whether IAAS alerts remediated or not.
+        - name: iaas_remediated_by
+          type: keyword
+          description: IAAS/CSA scan alerts can be remediated by taking remediation steps. This field captures the admin's email address who applied the remediation steps.
+        - name: iaas_remediated_on
+          type: long
+          description: IAAS/CSA scan alerts can be remediated by taking remediation steps. This field captures the time in epoch format when remediation steps were taken.
+        - name: iaas_remediation_action
+          type: keyword
+          description: IAAS/CSA scan alerts can be remediated by taking remediation steps. This field captures the action taken.
+        - name: ip_protocol
+          type: keyword
+          description: Assigned Internet Protocol Number.
+        - name: incident_id
+          type: keyword
+          description: Unique Incident ID associated with main container (or non-container) file that was scanned.
+        - name: instance
+          type: keyword
+          description: Instance associated with an organization application instance.
+        - name: instance_id
+          type: keyword
+          description: Unique ID associated with an organization application instance.
+        - name: instance_name
+          type: keyword
+          description: App instances are configured while configuring policies. instance_name is the custom name chose by admin.
+        - name: loc
+          type: keyword
+          description: Short name for location.
+        - name: local_md5
+          type: keyword
+          description: MD5 of the sample which was calculated by Netskope's FastScan (TSS) service.
+        - name: local_sha1
+          type: keyword
+          description: SHA1 of the sample which was calculated by Netskope's fastscan (TSS) service.
+        - name: local_sha256
+          type: keyword
+          description: SHA256 of the sample which was calculated by Netskope's fastscan (TSS) service.
+        - name: location
+          type: keyword
+          description: A string that specifies the physical location of the printer (for example, Bldg. 38, Room 1164).
+        - name: malware_id
+          type: keyword
+          description: Unique id assigned to recognize the malware.
+        - name: malware_severity
+          type: keyword
+          description: Malware Severity category.
+        - name: malware_type
+          type: keyword
+          description: Type of malware detected.
+        - name: mal_id
+          type: keyword
+          description: Unique id assigned to recognize the malware.
+        - name: mal_type
+          type: keyword
+          description: Type of malware detected.
+        - name: managed_app
+          type: keyword
+          description: Whether or not the app in question is managed.
+        - name: managementID
+          type: keyword
+          description: Field value is attached to Devices Host Info Object.
+        - name: md5
+          type: keyword
+          description: MD5 value of the file content.
+        - name: message_id
+          type: keyword
+          description: Unique message id used internally by NSProxy.
+        - name: mime_type
+          type: keyword
+          description: A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, or assortment of bytes.
+        - name: modified_date
+          type: date
+          description: File modification date found during malware detection. Timestamp in epoch format.
+        - name: netskope_pop
+          type: keyword
+          description: Netskope Data Plane name.
+        - name: network_session_id
+          type: keyword
+          description: Network session ID used by NPA services.
+        - name: nsdeviceuid
+          type: keyword
+          description: Device ID attached to Devices Host Info Object.
+        - name: numbytes
+          type: long
+          description: Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes.
+        - name: oauth
+          type: keyword
+          description: Oauth is a standard that allows applications to access a user's data without the user needing to share their password. This field holds value if it was used or not.
+        - name: object
+          type: keyword
+          description: Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.Incident object name and the value of the field represents the object details of the incident triggered.
+        - name: object_id
+          type: keyword
+          description: Unique ID associated with an object.
+        - name: object_type
+          type: keyword
+          description: Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc.
+        - name: org
+          type: keyword
+          description: Search for events from a specific organization. Organization name is derived from the user ID.
+        - name: organization_unit
+          type: keyword
+          description: Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application.
+        - name: os
+          type: keyword
+          description: Operating system of the host who generated the event.
+        - name: os_details
+          type: keyword
+          description: Detailed OS version string.
+        - name: os_family
+          type: keyword
+          description: Operating system type of the end user's device.
+        - name: os_user_name
+          type: keyword
+          description: Username on the local machine that performs action.
+        - name: os_version
+          type: keyword
+          description: OS version of the host.
+        - name: owner
+          type: keyword
+          description: Owner or the user information of the file object in DLP.
+        - name: owner_pdl
+          type: keyword
+          description: File's owner Preferred Data Location derived from owner uid(OneDrive) and site URL(SharePoint).
+        - name: page
+          type: keyword
+          description: The URL of the originating page.
+        - name: parent_id
+          type: keyword
+          description: Parent ID ( event_id ) of an alert.
+        - name: pid
+          type: keyword
+          description: Process ID that is doing file processing ex:- A process that trigger the evaluation.
+        - name: policy
+          type: keyword
+          description: Name of the policy configured by an admin.
+        - name: policy_action
+          type: keyword
+          description: Endpoint DLP Policy action planned according to the policy. User can override the planned action or actual enforcement action might not be implemented.
+        - name: policy_name
+          type: keyword
+          description: Endpoint DLP Name of matching policy.
+        - name: policy_name_enforced
+          type: keyword
+          description: Actual action taken by Endpoint DLP Policy.
+        - name: policy_version
+          type: keyword
+          description: Endpoint DLP Policy name configured version number.
+        - name: pop_id
+          type: keyword
+          description: Netskope MPs/DPs unique id.
+        - name: port
+          type: keyword
+          description: A string that identifies the port(s) used to transmit data to the printer. If a printer is connected to more than one port, the names of each port must be separated by commas (for example, LPT1:,LPT2:,LPT3:).
+        - name: process_cert_subject
+          type: keyword
+          description: the subject of the certificate that signed the process.
+        - name: process_name
+          type: keyword
+          description: Endpoint process Name For example:- native application for Printer on User's Laptop.
+        - name: process_path
+          type: keyword
+          description: The path to the process that performed the action on the endpoint.
+        - name: product_id
+          type: keyword
+          description: It's Part of USB specification. Used to identify a USB device.
+        - name: publisher_cn
+          type: keyword
+          description: The publisher CName.
+        - name: quarantine_action_reason
+          type: keyword
+          description: Reason for the action taken for quarantine.
+        - name: record_type
+          type: keyword
+          description: Indicate the event type of the record.
+        - name: redirect_url
+          type: keyword
+          description: URL name where traffic is redirected based on the applied Policy.
+        - name: referer
+          type: keyword
+          description: Referer URL associated with an activity in a cloud app.Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic.
+        - name: region_id
+          type: keyword
+          description: Region ID as provided by the cloud provider AWS, GCP and Azure etc.
+        - name: region_name
+          type: keyword
+          description: Region Name as provided by the cloud provider AWS, GCP and Azure etc.
+        - name: related_malware
+          type: keyword
+          description: This field contains the malware information attached to UEBA anomaly detection.
+        - name: req_cnt
+          type: long
+          description: Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection.
+        - name: request_id
+          type: keyword
+          description: Unique id attached to proxy activity events and dlp activity events.
+        - name: resource_category
+          type: keyword
+          description: IAAS assets resource category of the Cloud providers AWS, GCP and Azure etc. For Example Amazon EC2, Amazon ECS are categorized as Compute whereas Amazon RDS and DynamoDB are categorized as database.
+        - name: resource_group
+          type: keyword
+          description: Cloud providers AWS, GCP and Azure have entities called resource groups that organize resources such as VMs, storage, and virtual networking devices etc.
+        - name: resp_cnt
+          type: long
+          description: Total number of HTTP responses (equal to number of transaction events for this page event) from server to client.
+        - name: risk_level_id
+          type: keyword
+          description: This field is set by both RBA and MLAD anomaly engines for every anomaly that's detected. MLAD always sets individual anomalies risk-level to 0 (low). RBA has different rules.
+        - name: sa_profile_name
+          type: keyword
+          description: IAAS/CSA profile Name as provided by cloud providers AWS, GCP and Azure etc.
+        - name: sa_rule_name
+          type: keyword
+          description: IAAS/CSA rule name configured for scans to run on data stored in cloud providers AWS, GCP and Azure data.
+        - name: sa_rule_severity
+          type: keyword
+          description: IAAS/CSA rule severity as captured by backend policy engines.
+        - name: sanctioned_instance
+          type: keyword
+          description: A sanctioned instance is a company owned account in an external application. A value of yes indicates that the company has granted    access for the specific SaaS / IaaS account to Netskope. A value of no    represents a personal user account or an enterprise account not    authorized by the enterprise Administrator.
+        - name: sender
+          type: keyword
+          description: Sender email information related to introspection's support for MS Teams app.
+        - name: session_duration
+          type: long
+          description: Session duration of a session.
+        - name: server_bytes
+          type: long
+          description: Total number of downloaded bytes from server to client.
+        - name: server_packets
+          type: long
+          description: Total number of server packet from server to client.
+        - name: severity
+          type: keyword
+          description: Severity used by watchlist and malware alerts. Severity of the incident.
+        - name: severity_id
+          type: keyword
+          description: Malware severity category ids. These ids are mapped with severity category values like high, low, medium etc.
+        - name: severity_level
+          type: keyword
+          description: Severity level of the Malsite ( High / Med / Low).
+        - name: sha256
+          type: keyword
+          description: Sha256 value of a file.
+        - name: sharedType
+          type: keyword
+          description: Object shared type detected for the DLP incidents.
+        - name: shared_credential_user
+          type: keyword
+          description: Denotes the value of the credential being shared by multiple users.
+        - name: shared_domains
+          type: keyword
+          description: List of domains of users the document is shared with.
+        - name: shared_with
+          type: keyword
+          description: Email ids with whom a document is shared with.
+        - name: site
+          type: keyword
+          description: For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in www.cnn.com, it is cnn.com.
+        - name: smtp_status
+          type: keyword
+          description: Customers can configure Netskope SMTP Proxy with Microsoft O365 Exchange, all outgoing emails from Microsoft O365 Exchange are sent to Netskope SMTP Proxy for policy evaluation and will send Back to Exchange  for mail delivery. This field denotes the status code for ex:- SMTP status 250 shows successful delivery of mail.
+        - name: srcport
+          type: long
+          description: Port used by the source/user where event is created. It is used by NPA applications.
+        - name: src_country
+          type: keyword
+          description: User's country's two-letter Country Code as determined by the Maxmind or IP2Location Geo Database.
+        - name: src_geoip_src
+          type: long
+          description: Source from where the location of Source IP was derived.
+        - name: src_latitude
+          type: double
+          description: Latitude of the user as determined by the Maxmind or IP2Location Geo database.
+        - name: src_latitude_keyword
+          type: keyword
+        - name: src_location
+          type: keyword
+          description: User's city as determined by the Maxmind or IP2Location Geo Database.
+        - name: src_longitude
+          type: double
+          description: Longitude of the user as determined by the Maxmind or IP2Location Geo database.
+        - name: src_longitude_keyword
+          type: keyword
+        - name: src_region
+          type: keyword
+          description: Source state or region as determined by the Maxmind or IP2Location Geo database.
+        - name: src_timezone
+          type: keyword
+          description: Source timezone for the location at which the event is created. Shows the long format timezone designation.
+        - name: src_zipcode
+          type: keyword
+          description: Source zip code for the location at which the event is created as determined by the Maxmind or IP2Location Geo Database.
+        - name: srcip
+          type: ip
+          description: IP address of source/user where event is created.
+        - name: start_time
+          type: date
+          description: Capture NPA user's session start time.
+        - name: subject
+          type: keyword
+          description: value present in the email subject captured during DLP email scans.
+        - name: suppression_count
+          type: keyword
+          description: Number of events suppressed.
+        - name: telemetry_app
+          type: keyword
+          description: Typically SaaS app web sites use web analytics code within the pages to gather analytic data.When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in theTelemetry App field.
+        - name: threat_type
+          type: keyword
+          description: Type of threat detected.
+        - name: timestamp
+          type: date
+          description: Timestamp when the event/alert happened. Event timestamp in Unix epoch format.
+        - name: to_user
+          type: keyword
+          description: Used when a file is moved from user A to user B. Shows the email address of user B.
+        - name: total_packets
+          type: long
+          description: Total value of Server Packets + Client Packets.
+        - name: traffic_type
+          type: keyword
+          description: 'Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights.'
+        - name: transaction_id
+          type: keyword
+          description: Unique ID for a given request/response.
+        - name: tss_license
+          type: keyword
+          description: Indicates if malware license is enabled for the tenant or not.
+        - name: tss_mode
+          type: keyword
+          description: Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection.
+        - name: tunnel_id
+          type: keyword
+          description: Shows the Client installation ID. Only available for the Client steering configuration.
+        - name: two_factor_auth
+          type: keyword
+          description: Two factor authentication is enabled or not.
+        - name: type
+          type: keyword
+          description: Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection.
+        - name: unc_path
+          type: keyword
+          description: The Universal Naming Convention path of the network file share, or printer.
+        - name: ur_normalized
+          type: keyword
+          description: All lower case user email.
+        - name: url
+          type: wildcard
+          description: URL of the application that the user visited as provided by the log or data plane traffic.
+        - name: user
+          type: keyword
+          description: User email.
+        - name: user_confidence_index
+          type: long
+          description: UCI (User Confidence Index) is one of the ways that UEBA describes how risky the user’s behavior is. The lower UCI is, the more risky the user behavior is. The UCI starts from an initial value and is deducted an amount when the user’s behavior is detected to be anomaly by UEBA engine. The user’s UCI is daily-based, i.e. UEBA engine will create the new UCI with an initial score for users when an UTC day starts. Each user is supposed to start from 1000, but his/her previous day performance will rollover to current day and therefore impact the initial UCI.
+        - name: user_confidence_level
+          type: keyword
+          description: UCI (User Confidence Index) is one of the ways that UEBA describes how risky the user’s behavior is. User confidence level field holds risk level values.
+        - name: user_id
+          type: keyword
+          description: User email.
+        - name: useragent
+          type: keyword
+          description: The User-Agent request header value.
+        - name: usergroup
+          type: keyword
+          description: Custom attributes added by customer using ADImporter.
+        - name: userip
+          type: ip
+          description: IP address of User.
+        - name: userkey
+          type: keyword
+          description: User ID or email.
+        - name: vendor_id
+          type: keyword
+          description: Netskope's Vendor id.
+        - name: watchlist_name
+          type: keyword
+          description: Name given by admins while creating watchlist by selecting different filters on webUI.
+        - name: web_url
+          type: keyword
+          description: Endpoint configured by customer to fetch Filemeta scan etc.
diff --git a/packages/netskope/data_stream/alerts_v2/manifest.yml b/packages/netskope/data_stream/alerts_v2/manifest.yml
new file mode 100644
index 00000000000..d4894d40810
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/manifest.yml
@@ -0,0 +1,388 @@
+title: Alerts V2
+type: logs
+streams:
+  - input: azure-blob-storage
+    description: Collect Netskope Alert logs via Azure Blob Storage.
+    title: Netskope Alert Logs
+    template_path: abs.yml.hbs
+    enabled: false
+    vars:
+      - name: account_name
+        type: text
+        title: Account Name
+        description: |
+          This attribute is required for various internal operations with respect to authentication, creating service clients and blob clients which are used internally for various processing purposes.
+        required: true
+        show_user: true
+      - name: client_id
+        type: text
+        title: Client ID (OAuth2)
+        description: Client ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        required: false
+        show_user: true
+        secret: true
+      - name: client_secret
+        type: password
+        title: Client Secret (OAuth2)
+        description: Client Secret of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        required: false
+        show_user: true
+        secret: true
+      - name: tenant_id
+        type: text
+        title: Tenant ID (OAuth2)
+        description: Tenant ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        multi: false
+        required: false
+        show_user: true
+      - name: service_account_key
+        type: password
+        title: Service Account Key
+        description: |
+          This attribute contains the access key, found under the Access keys section on Azure Cloud, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common access key.
+        required: false
+        show_user: true
+        secret: true
+      - name: service_account_uri
+        type: text
+        title: Service Account URI
+        description: |
+          This attribute contains the connection string, found under the Access keys section on Azure Cloud, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common connection string.
+        required: false
+        show_user: false
+      - name: storage_url
+        type: text
+        title: Storage URL
+        description: |
+          Use this attribute to specify a custom storage URL if required. By default it points to azure cloud storage. Only use this if there is a specific need to connect to a different environment where blob storage is available.
+          URL format : {{protocol}}://{{account_name}}.{{storage_uri}}.
+        required: false
+        show_user: false
+      - name: number_of_workers
+        type: integer
+        title: Maximum number of workers
+        multi: false
+        required: false
+        show_user: true
+        default: 3
+        description: Determines how many workers are spawned per container. Maximum allowed value is 5000.
+      - name: poll
+        type: bool
+        title: Polling
+        multi: false
+        required: false
+        show_user: true
+        default: true
+        description: Determines if the container will be continuously polled for new documents.
+      - name: poll_interval
+        type: text
+        title: Polling interval
+        multi: false
+        required: false
+        show_user: true
+        default: 15s
+        description: Determines the time interval between polling operations.
+      - name: containers
+        type: yaml
+        title: Containers
+        description: "This attribute contains the details about a specific container like, name, number_of_workers, poll, poll_interval etc. \nThe attribute 'name' is specific to a container as it describes the container name, while the fields number_of_workers, poll, poll_interval can exist both at the container level and at the global level. \nIf you have already defined the attributes globally, then you can only specify the container name in this yaml config. \nIf you want to override any specific attribute for a container, then, you can define it here. \nAny attribute defined in the yaml will override the global definitions. Please see the relevant [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html#attrib-containers) for further information.\n"
+        required: true
+        show_user: true
+        default: |
+          #- name: azure-container1
+          #   max_workers: 3
+          #   poll: true
+          #   poll_interval: 15s
+          #- name: azure-container2
+          #  max_workers: 3
+          #  poll: true
+          #  poll_interval: 10s
+      - name: file_selectors
+        type: yaml
+        title: File Selectors
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          # - regex: "event/"
+        description: "If the container will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which is made up of regex patters. \nThe regex should match the container filepath. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.\n"
+      - name: timestamp_epoch
+        type: integer
+        title: Timestamp Epoch
+        multi: false
+        required: false
+        description: "This attribute can be used to filter out files/blobs which have a timestamp older than the specified value. The value of this attribute should be in unix epoch (seconds) format."
+        show_user: false
+      - name: csv_comma
+        type: text
+        title: CSV Separator Character
+        multi: false
+        required: false
+        show_user: false
+        default: " "
+        description: The field separator character used by the CSV format.
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: |
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: tags
+        type: text
+        title: Tags
+        description: Tags to include in the published event.
+        required: true
+        default:
+          - forwarded
+          - netskope-alerts
+        multi: true
+        show_user: false
+  - input: aws-s3
+    template_path: aws-s3.yml.hbs
+    title: Collect Alert logs via AWS S3 or SQS
+    description: Collect Alert logs via AWS S3 or SQS input.
+    enabled: false
+    vars:
+      - name: bucket_arn
+        type: text
+        title: '[S3] Bucket ARN'
+        multi: false
+        required: false
+        show_user: true
+        description: ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3.
+      - name: bucket_list_prefix
+        type: text
+        title: '[S3] Bucket Prefix'
+        multi: false
+        required: false
+        show_user: true
+        description: Prefix to apply for the list request to the S3 bucket.
+      - name: interval
+        type: text
+        title: '[S3] Interval'
+        multi: false
+        required: false
+        show_user: true
+        default: 120s
+        description: Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.
+      - name: number_of_workers
+        type: integer
+        title: '[S3] Number of Workers'
+        multi: false
+        required: false
+        show_user: true
+        default: 5
+        description: Number of workers that will process the S3 objects listed.
+      - name: queue_url
+        type: text
+        title: '[SQS] Queue URL'
+        multi: false
+        required: false
+        show_user: true
+        description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.
+      - name: visibility_timeout
+        type: text
+        title: '[SQS] Visibility Timeout'
+        multi: false
+        required: false
+        show_user: true
+        default: 300s
+        description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.
+      - name: api_timeout
+        type: text
+        title: '[SQS] API Timeout'
+        multi: false
+        required: false
+        show_user: true
+        default: 120s
+        description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.
+      - name: max_number_of_messages
+        type: integer
+        title: '[SQS] Maximum Concurrent SQS Messages'
+        required: false
+        show_user: true
+        default: 5
+        description: The maximum number of SQS messages that can be inflight at any time.
+      - name: file_selectors
+        type: yaml
+        title: '[SQS] File Selectors'
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded.
+          This is a list of selectors which are made up of regex and expand_event_list_from_field options.
+          The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting.
+          If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors.
+          Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.
+      - name: external_id
+        type: text
+        title: External ID
+        multi: false
+        required: false
+        show_user: false
+        description: External ID to use when assuming a role in another account.
+      - name: csv_comma
+        type: text
+        title: 'CSV Comma'
+        multi: false
+        required: false
+        show_user: false
+        default: " "
+        description: The field separator character used by the CSV format.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - netskope-alerts
+      - name: preserve_original_event
+        required: false
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: preserve_duplicate_custom_fields
+        required: true
+        show_user: false
+        title: Preserve duplicate custom fields
+        description: Preserve netskope.alerts_v2 fields that were copied to Elastic Common Schema (ECS) fields.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+  - input: gcs
+    title: Collect Netskope Alert logs via Google Cloud Storage
+    description: Collect Netskope Alert SIEM logs via Google Cloud Storage.
+    template_path: gcs.yml.hbs
+    enabled: false
+    vars:
+      - name: project_id
+        type: text
+        title: "Project Id"
+        description: It is a required parameter to collect logs via GCS.
+        multi: false
+        required: true
+        show_user: true
+        default: my-project-id
+      - name: service_account_key
+        type: password
+        title: "Credentials json key"
+        description: It is an optional parameter for authentication.
+        multi: false
+        required: false
+        show_user: true
+        secret: true
+      - name: service_account_file
+        type: text
+        title: "Credentials file path"
+        description: It is an optional parameter for authentication.
+        multi: false
+        required: false
+        show_user: false
+      - name: number_of_workers
+        type: integer
+        title: 'Maximum number of workers'
+        multi: false
+        required: false
+        show_user: true
+        default: 3
+        description: Determines how many workers are spawned per bucket.
+      - name: poll
+        type: bool
+        title: 'Polling'
+        multi: false
+        required: false
+        show_user: true
+        default: true
+        description: Determines if the bucket will be continuously polled for new documents.
+      - name: poll_interval
+        type: text
+        title: 'Polling interval'
+        multi: false
+        required: false
+        show_user: true
+        default: 15s
+        description: Determines the time interval between polling operations.
+      - name: bucket_timeout
+        type: text
+        title: 'Bucket Timeout'
+        multi: false
+        required: false
+        show_user: true
+        default: 120s
+        description: Defines the maximum time that the sdk will wait for a bucket api response before timing out. Valid time units are ns, us, ms, s, m, h.
+      - name: buckets
+        type: yaml
+        title: Buckets
+        description: >-
+          This attribute contains the details about a specific bucket like, name,
+          max_workers, poll, poll_interval and bucket_timeout. The
+          attribute 'name' is specific to a bucket as it describes the bucket
+          name, while the fields max_workers, poll, poll_interval and
+          bucket_timeout can exist both at the bucket level and at the global
+          level. If you have already defined the attributes globally, then you
+          can only specify the name in this yaml config. If you want to override
+          any specific attribute for a specific bucket, then, you can define it
+          here. Any attribute defined in the yaml will override the global
+          definitions. Please see the relevant[Documentation](https://www.elastic.co/guide/en/beats/filebeat/8.5/filebeat-input-gcs.html#attrib-buckets)
+          for further information.
+        required: true
+        show_user: true
+        default: |
+          # You can define as many buckets as you want here.
+          - name: siem_gcs_bucket_1
+          - name: siem_gcs_bucket_2
+          # The config below is an example of how to override the global config.
+          #- name: siem_gcs_bucket_3
+          #  max_workers: 3
+          #  poll: true
+          #  poll_interval: 10s
+          #  bucket_timeout: 30s
+      - name: csv_comma
+        type: text
+        title: 'CSV Comma'
+        multi: false
+        required: false
+        show_user: false
+        default: " "
+        description: The field separator character used by the CSV format.
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: |
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - netskope-alerts
diff --git a/packages/netskope/data_stream/alerts_v2/sample_event.json b/packages/netskope/data_stream/alerts_v2/sample_event.json
new file mode 100644
index 00000000000..77d560ca0be
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/sample_event.json
@@ -0,0 +1,162 @@
+{
+    "@timestamp": "2025-05-13T11:02:02.000Z",
+    "agent": {
+        "ephemeral_id": "1caa7082-bf2e-4fc9-bdac-3673d20f986f",
+        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
+        "name": "elastic-agent-55769",
+        "type": "filebeat",
+        "version": "8.17.8"
+    },
+    "aws": {
+        "s3": {
+            "bucket": {
+                "arn": "arn:aws:s3:::elastic-package-netskope-alert-v2-bucket-59128",
+                "name": "elastic-package-netskope-alert-v2-bucket-59128"
+            },
+            "object": {
+                "key": "test-alerts-v2.csv.gz"
+            }
+        }
+    },
+    "cloud": {
+        "region": "us-east-1"
+    },
+    "data_stream": {
+        "dataset": "netskope.alerts_v2",
+        "namespace": "89449",
+        "type": "logs"
+    },
+    "destination": {
+        "geo": {
+            "city_name": "Stockholm",
+            "country_iso_code": "SE",
+            "postal_code": "100 04",
+            "region_name": "Stockholm County",
+            "timezone": "Europe/Stockholm"
+        },
+        "ip": "81.2.69.142",
+        "port": 443
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "elastic_agent": {
+        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
+        "snapshot": false,
+        "version": "8.17.8"
+    },
+    "event": {
+        "action": "alert",
+        "agent_id_status": "verified",
+        "dataset": "netskope.alerts_v2",
+        "id": "eb8fc9903c2fbb6aa05537ff",
+        "ingested": "2025-07-17T11:04:37Z",
+        "kind": "alert",
+        "original": "{\"_id\":\"eb8fc9903c2fbb6aa05537ff\",\"access_method\":\"Client\",\"account_id\":\"-\",\"account_name\":\"-\",\"acked\":\"false\",\"act_user\":\"-\",\"acting_user\":\"-\",\"action\":\"alert\",\"activity\":\"Edit\",\"alert\":\"yes\",\"alert_id\":\"-\",\"alert_name\":\"Web Access Allow\",\"alert_source\":\"-\",\"alert_type\":\"policy\",\"app\":\"Amazon Systems Manager\",\"app-gdpr-level\":\"-\",\"app_session_id\":\"2241753685910532990\",\"appact\":\"-\",\"appcategory\":\"IT Service/Application Management\",\"appsuite\":\"Amazon\",\"assignee\":\"-\",\"audit_type\":\"-\",\"bcc\":\"-\",\"breach_date\":\"-\",\"breach_id\":\"-\",\"breach_score\":\"-\",\"browser\":\"Native\",\"browser_session_id\":\"4940241048203471891\",\"cc\":\"-\",\"cci\":\"92\",\"ccl\":\"excellent\",\"client_bytes\":\"-\",\"client_packets\":\"-\",\"cloud_provider\":\"-\",\"computer_name\":\"-\",\"conn_duration\":\"-\",\"conn_endtime\":\"-\",\"conn_starttime\":\"-\",\"connection_id\":\"2631086121425559188\",\"connection_type\":\"-\",\"custom_attr\":\"-\",\"destination_file_directory\":\"-\",\"destination_file_name\":\"-\",\"destination_file_path\":\"-\",\"detection_engine\":\"-\",\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"device_sn\":\"-\",\"device_type\":\"-\",\"dinsid\":\"-\",\"dlp_file\":\"-\",\"dlp_fingerprint_classification\":\"-\",\"dlp_fingerprint_match\":\"-\",\"dlp_fingerprint_score\":\"-\",\"dlp_incident_id\":\"-\",\"dlp_is_unique_count\":\"-\",\"dlp_match_info\":\"-\",\"dlp_parent_id\":\"-\",\"dlp_profile\":\"-\",\"dlp_profile_name\":\"-\",\"dlp_rule\":\"-\",\"dlp_rule_count\":\"-\",\"dlp_rule_score\":\"-\",\"dlp_rule_severity\":\"-\",\"dlp_unique_count\":\"-\",\"dns_profile\":\"-\",\"domain\":\"ssm.eu-north-1.amazonaws.com\",\"domain_ip\":\"-\",\"driver\":\"-\",\"dst_country\":\"SE\",\"dst_geoip_src\":\"-\",\"dst_latitude\":\"18.0717|59.328699999999998\",\"dst_location\":\"Stockholm\",\"dst_longitude\":\"18.0717|59.328699999999998\",\"dst_region\":\"Stockholm County\",\"dst_timezone\":\"Europe/Stockholm\",\"dst_zipcode\":\"100 04\",\"dsthost\":\"-\",\"dstip\":\"81.2.69.142\",\"dstport\":\"443\",\"eeml\":\"-\",\"email_from_user\":\"-\",\"email_modified\":\"-\",\"email_title\":\"-\",\"email_user\":\"-\",\"encryption_status\":\"-\",\"end_time\":\"-\",\"event_uuid\":\"-\",\"executable_hash\":\"-\",\"executable_signed\":\"-\",\"file_category\":\"-\",\"file_cls_encrypted\":\"-\",\"file_exposure\":\"-\",\"file_id\":\"-\",\"file_md5\":\"-\",\"file_origin\":\"-\",\"file_owner\":\"-\",\"file_path\":\"-\",\"file_pdl\":\"-\",\"file_size\":\"-\",\"file_type\":\"-\",\"filename\":\"-\",\"filepath\":\"-\",\"fllg\":\"-\",\"flpp\":\"-\",\"from_user\":\"-\",\"hostname\":\"Test-IDMHT6TII\",\"iaas_remediated\":\"-\",\"iaas_remediated_by\":\"-\",\"iaas_remediated_on\":\"-\",\"iaas_remediation_action\":\"-\",\"incident_id\":\"5254981775376249392\",\"inline_dlp_match_info\":\"-\",\"instance\":\"-\",\"instance_id\":\"202533540828\",\"instance_name\":\"-\",\"ip_protocol\":\"-\",\"latest_incident_id\":\"-\",\"loc\":\"-\",\"local_md5\":\"-\",\"local_sha1\":\"-\",\"local_sha256\":\"-\",\"local_source_time\":\"-\",\"location\":\"-\",\"mal_id\":\"-\",\"mal_sev\":\"-\",\"mal_type\":\"-\",\"malware_id\":\"-\",\"malware_severity\":\"-\",\"malware_type\":\"-\",\"managed_app\":\"no\",\"managementID\":\"-\",\"md5\":\"-\",\"message_id\":\"-\",\"mime_type\":\"-\",\"modified_date\":\"-\",\"netskope_pop\":\"SE-STO1\",\"network_session_id\":\"-\",\"nsdeviceuid\":\"-\",\"num_users\":\"-\",\"numbytes\":\"-\",\"oauth\":\"-\",\"object\":\"-\",\"object_id\":\"-\",\"object_type\":\"-\",\"org\":\"-\",\"organization_unit\":\"-\",\"os\":\"Windows 11\",\"os_details\":\"-\",\"os_family\":\"Windows\",\"os_user_name\":\"-\",\"os_version\":\"Windows NT 11.0\",\"owner\":\"-\",\"owner_pdl\":\"-\",\"page\":\"ssm.eu-north-1.amazonaws.com\",\"parent_id\":\"-\",\"pid\":\"-\",\"policy\":\"Web Access Allow\",\"policy_action\":\"-\",\"policy_name\":\"-\",\"policy_name_enforced\":\"-\",\"policy_version\":\"-\",\"pop_id\":\"-\",\"port\":\"443\",\"process_cert_subject\":\"-\",\"process_name\":\"-\",\"process_path\":\"-\",\"product_id\":\"-\",\"publisher_cn\":\"-\",\"record_type\":\"alert\",\"redirect_url\":\"-\",\"referer\":\"-\",\"region_id\":\"-\",\"region_name\":\"-\",\"req\":\"-\",\"req_cnt\":\"-\",\"request_id\":\"5254981775376249392\",\"resource_category\":\"-\",\"resource_group\":\"-\",\"resp\":\"-\",\"resp_cnt\":\"-\",\"response_time\":\"-\",\"risk_level_id\":\"-\",\"risk_score\":\"-\",\"sa_profile_name\":\"-\",\"sa_rule_compliance\":\"-\",\"sa_rule_name\":\"-\",\"sa_rule_severity\":\"-\",\"sanctioned_instance\":\"-\",\"sender\":\"-\",\"server_bytes\":\"-\",\"server_packets\":\"-\",\"serverity\":\"-\",\"session_duration\":\"-\",\"session_number_unique\":\"-\",\"severity\":\"-\",\"severity_id\":\"-\",\"severity_level\":\"-\",\"sha256\":\"-\",\"sharedType\":\"-\",\"shared_credential_user\":\"-\",\"shared_domains\":\"-\",\"shared_with\":\"-\",\"site\":\"Amazon Systems Manager\",\"smtp_status\":\"-\",\"smtp_to\":\"-\",\"spet\":\"-\",\"spst\":\"-\",\"src_country\":\"SE\",\"src_geoip_src\":\"-\",\"src_latitude\":\"18.0717|59.328699999999998\",\"src_location\":\"Stockholm\",\"src_longitude\":\"18.0717|59.328699999999998\",\"src_network\":\"-\",\"src_region\":\"Stockholm County\",\"src_timezone\":\"Europe/Stockholm\",\"src_zipcode\":\"100 04\",\"srcip\":\"81.2.69.142\",\"srcport\":\"-\",\"start_time\":\"-\",\"status\":\"-\",\"subject\":\"-\",\"subtype\":\"-\",\"suppression_count\":\"-\",\"tags\":\"-\",\"telemetry_app\":\"-\",\"thr\":\"-\",\"threat_type\":\"-\",\"timestamp\":\"1747134122\",\"to_user\":\"-\",\"total_packets\":\"-\",\"traffic_type\":\"CloudApp\",\"transaction_id\":\"5254981775376249392\",\"tss_license\":\"-\",\"tss_mode\":\"-\",\"tunnel_id\":\"-\",\"tur\":\"-\",\"two_factor_auth\":\"-\",\"type\":\"nspolicy\",\"unc_path\":\"-\",\"ur_normalized\":\"test@gmail.com\",\"url\":\"ssm.eu-north-1.amazonaws.com/\",\"user\":\"test@gmail.com\",\"user_confidence_index\":\"-\",\"user_confidence_level\":\"-\",\"user_id\":\"-\",\"useragent\":\"aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0\",\"usergroup\":\"-\",\"userip\":\"81.2.69.142\",\"userkey\":\"test@gmail.com\",\"vendor_id\":\"-\",\"violation\":\"-\",\"watchlist_name\":\"-\",\"web_url\":\"-\"}"
+    },
+    "host": {
+        "domain": "ssm.eu-north-1.amazonaws.com",
+        "name": "Test-IDMHT6TII",
+        "os": {
+            "family": "Windows",
+            "full": "Windows 11",
+            "version": "Windows NT 11.0"
+        }
+    },
+    "input": {
+        "type": "aws-s3"
+    },
+    "log": {
+        "file": {
+            "path": "https://elastic-package-netskope-alert-v2-bucket-59128.s3.us-east-1.amazonaws.com/test-alerts-v2.csv.gz"
+        },
+        "offset": 4504
+    },
+    "netskope": {
+        "alert_v2": {
+            "access_method": "Client",
+            "acked": false,
+            "activity": "Edit",
+            "alert": "yes",
+            "alert_type": "policy",
+            "app_session_id": "2241753685910532990",
+            "appcategory": "IT Service/Application Management",
+            "appsuite": "Amazon",
+            "browser": "Native",
+            "browser_session_id": "4940241048203471891",
+            "cci": 92,
+            "ccl": "excellent",
+            "connection_id": "2631086121425559188",
+            "device": "Windows Device",
+            "device_classification": "unmanaged",
+            "dst_latitude_keyword": "18.0717|59.328699999999998",
+            "dst_longitude_keyword": "18.0717|59.328699999999998",
+            "incident_id": "5254981775376249392",
+            "instance_id": "202533540828",
+            "managed_app": "no",
+            "netskope_pop": "SE-STO1",
+            "page": "ssm.eu-north-1.amazonaws.com",
+            "policy": "Web Access Allow",
+            "port": "443",
+            "record_type": "alert",
+            "request_id": "5254981775376249392",
+            "site": "Amazon Systems Manager",
+            "src_latitude_keyword": "18.0717|59.328699999999998",
+            "src_longitude_keyword": "18.0717|59.328699999999998",
+            "traffic_type": "CloudApp",
+            "transaction_id": "5254981775376249392",
+            "type": "nspolicy",
+            "ur_normalized": "test@gmail.com",
+            "userip": "81.2.69.142",
+            "userkey": "test@gmail.com"
+        }
+    },
+    "network": {
+        "application": "amazon systems manager"
+    },
+    "related": {
+        "hosts": [
+            "ssm.eu-north-1.amazonaws.com",
+            "Test-IDMHT6TII"
+        ],
+        "ip": [
+            "81.2.69.142"
+        ],
+        "user": [
+            "test@gmail.com"
+        ]
+    },
+    "rule": {
+        "name": "Web Access Allow"
+    },
+    "source": {
+        "geo": {
+            "city_name": "Stockholm",
+            "country_iso_code": "SE",
+            "postal_code": "100 04",
+            "region_name": "Stockholm County",
+            "timezone": "Europe/Stockholm"
+        },
+        "ip": "81.2.69.142"
+    },
+    "tags": [
+        "collect_sqs_logs",
+        "preserve_original_event",
+        "forwarded",
+        "netskope-alerts"
+    ],
+    "url": {
+        "original": "ssm.eu-north-1.amazonaws.com/"
+    },
+    "user": {
+        "email": "test@gmail.com"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Other"
+        },
+        "name": "aws-sdk-go",
+        "original": "aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0",
+        "version": "1.55.5"
+    }
+}
diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md
index ac09a820a69..1e0d052775d 100644
--- a/packages/netskope/docs/README.md
+++ b/packages/netskope/docs/README.md
@@ -1,6 +1,7 @@
 # Netskope
 
-This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) on respective TCP ports.
+This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) and [Netskope Log Streaming](https://docs.netskope.com/en/log-streaming/). To receive log from Netskope Cloud Log Shipper use TCP input, and for Netskope Log Streaming use any of the Cloud based inputs (AWS, GCS, or Azure Blob Storage).
+
 
 The log message is expected to be in JSON format. The data is mapped to
 ECS fields where applicable and the remaining fields are written under
@@ -8,6 +9,7 @@ ECS fields where applicable and the remaining fields are written under
 
 ## Setup steps
 
+### For receiving log from Netskope Cloud Shipper
 1. Configure this integration with the TCP input in Kibana.
 2. For all Netskope Cloud Exchange configurations refer to the [Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785).
 3. In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant.
@@ -33,6 +35,121 @@ ECS fields where applicable and the remaining fields are written under
 > Note: For detailed steps refer to [Configure Log Shipper SIEM Mappings](https://docs.netskope.com/en/configure-log-shipper-siem-mappings.html).
 Please make sure to use the given response formats.
 
+### For receiving log from Netskope Log Streaming
+1. To configure Log streaming please refer to the [Log Streaming Configuration](https://docs.netskope.com/en/configuring-streams). While Configuring make sure compression is set to GZIP as other compression types are not supported.
+
+#### Collect data from an AWS S3 bucket
+
+Considering you already have an AWS S3 bucket setup, to configure it with Netskope, follow [these steps](https://docs.netskope.com/en/stream-logs-to-amazon-s3) to enable the log streaming.
+
+#### Collect data from Azure Blob Storage
+
+1. If you already have an Azure storage container setup, configure it with Netskope via log streaming.
+2. Enable the Netskope log streaming by following [these instructions](https://docs.netskope.com/en/stream-logs-to-azure-blob).
+3. Configure the integration using either Service Account Credentials or Microsoft Entra ID RBAC with OAuth2 options. For OAuth2 (Entra ID RBAC), you'll need the Client ID, Client Secret, and Tenant ID. For Service Account Credentials, you'll need either the Service Account Key or the URI to access the data.
+
+- How to setup the `auth.oauth2` credentials can be found in the Azure documentation [here]( https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+- For more details about the Azure Blob Storage input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html).
+
+Note:
+- The service principal must be granted the appropriate permissions to read blobs. Ensure that the necessary role assignments are in place for the service principal to access the storage resources. For more information, please refer to the [Azure Role-Based Access Control (RBAC) documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage).
+- We recommend assigning either the **Storage Blob Data Reader** or **Storage Blob Data Owner** role. The **Storage Blob Data Reader** role provides read-only access to blob data and is aligned with the principle of least privilege, making it suitable for most use cases. The **Storage Blob Data Owner** role grants full administrative access — including read, write, and delete permissions — and should be used only when such elevated access is explicitly required.
+
+#### Collect data from a GCS bucket
+
+1. If you already have a GCS bucket setup, configure it with Netskope via log streaming.
+2. Enable the Netskope log streaming by following [these instructions](https://docs.netskope.com/en/stream-logs-to-gcp-cloud-storage).
+3. Configure the integration with your GCS project ID, Bucket name and Service Account Key/Service Account Credentials File.
+
+For more details about the GCS input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-gcs.html).
+
+#### The GCS credentials key file:
+
+Once you have added a key to GCP service account, you will get a JSON key file that can only be downloaded once.
+If you're new to GCS bucket creation, follow these steps:
+
+1. Make sure you have a service account available, if not follow the steps below:
+   - Navigate to 'APIs & Services' > 'Credentials'
+   - Click on 'Create credentials' > 'Service account'
+2. Once the service account is created, you can navigate to the 'Keys' section and attach/generate your service account key.
+3. Make sure to download the JSON key file once prompted.
+4. Use this JSON key file either inline (JSON string object), or by specifying the path to the file on the host machine, where the agent is running.
+
+A sample JSON Credentials file looks as follows:
+```json
+{
+  "type": "dummy_service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy-private-key-id",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nDummyPrivateKey\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy-service-account@example.com",
+  "client_id": "12345678901234567890",
+  "auth_uri": "https://dummy-auth-uri.com",
+  "token_uri": "https://dummy-token-uri.com",
+  "auth_provider_x509_cert_url": "https://dummy-auth-provider-cert-url.com",
+  "client_x509_cert_url": "https://dummy-client-cert-url.com",
+  "universe_domain": "dummy-universe-domain.com"
+}
+```
+
+
+#### Collect data from AWS SQS
+
+1. If you've already set up a connection to push data into the AWS bucket; if not, refer to the section above.
+2. To set up an SQS queue, follow "Step 1: Create an Amazon SQS Queue" mentioned in the [link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html).
+   - While creating an access policy, use the bucket name configured to create a connection for AWS S3 in Netskope.
+3. Configure event notifications for an S3 bucket. Follow this [link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html).
+   - While creating `event notification` select the event type as s3:ObjectCreated:*, destination type SQS Queue, and select the queue name created in Step 2.
+
+For more details about the AWS-S3 input settings, check this [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html).
+
+### Enable the integration in Elastic
+
+1. In Kibana go to **Management** > **Integrations**.
+2. In "Search for integrations" top bar, search for `Netskope`.
+3. Select the **Netskope** integration from the search results.
+4. Select "Add Netskope" to add the integration.
+5. While adding the integration, there are different options to collect logs; 
+    
+    To collect logs via AWS S3 when adding the integration, you must provide the following details::
+    - Collect logs via S3 Bucket toggled on
+    - Access Key ID
+    - Secret Access Key
+    - Bucket ARN
+    - Session Token
+
+    To collect logs via AWS SQS when adding the integration, you must provide the following details:
+    - Collect logs via S3 Bucket toggled off
+    - Queue URL
+    - Secret Access Key
+    - Access Key ID
+
+    To collect logs via GCS when adding the integration, you must provide the following details:
+    - Project ID
+    - Buckets
+    - Service Account Key/Service Account Credentials File
+
+    To collect logs via Azure Blob Storage when adding the integration, you must provide the following details:
+
+    - For OAuth2 (Microsoft Entra ID RBAC):
+        - Toggle on **Collect logs using OAuth2 authentication**
+        - Account Name
+        - Client ID
+        - Client Secret
+        - Tenant ID
+        - Container Details.
+
+    - For Service Account Credentials:
+        - Service Account Key or the URI
+        - Account Name
+        - Container Details
+        
+
+    To collect logs via TCP when adding the integration, you must provide the following details:
+    - Listen Address
+    - Listen Port
+6. Save the integration.
+
 ## Compatibility
 
 This package has been tested against `Netskope version 95.1.0.645` and `Netskope Cloud Exchange version 3.4.0`.
@@ -680,6 +797,420 @@ An example event for `alerts` looks as following:
 }
 ```
 
+### Alerts V2
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| aws.s3.bucket.arn | The AWS S3 bucket ARN. | keyword |
+| aws.s3.bucket.name | The AWS S3 bucket name. | keyword |
+| aws.s3.object.key | The AWS S3 Object key. | keyword |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| netskope.alert_v2._id | Unique id - hexadecimal string. | keyword |
+| netskope.alert_v2.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event.For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword |
+| netskope.alert_v2.account_id | Account ID is an account number as provided by the cloud provider AWS, GCP and AZURE etc. | keyword |
+| netskope.alert_v2.account_name | Account name - in case of AWS this is the instance name set by user. For others, account name is provided by the cloud provider. | keyword |
+| netskope.alert_v2.acked | Whether user has acknowledged the alert or not. | boolean |
+| netskope.alert_v2.act_user | Acting User is the user responsible for the configured policy violation. | keyword |
+| netskope.alert_v2.action | Action taken on the event for the policy. | keyword |
+| netskope.alert_v2.activity | Description of the user performed activity. | keyword |
+| netskope.alert_v2.alert | Indicates whether alert is generated or not and its populated as yes for all alerts. | keyword |
+| netskope.alert_v2.alert_id | Indicates the alert is raised and the carries the id of the alert raised. | keyword |
+| netskope.alert_v2.alert_name | Indicates the alert is raised and the carries the name of the alert raised. | keyword |
+| netskope.alert_v2.alert_source | Indicates the alert is raised and the carries the Netskope solution name as source of the alert raised. | keyword |
+| netskope.alert_v2.alert_type | Indicates the alert is raised and the carries the type of the alert raised. | keyword |
+| netskope.alert_v2.app | Specific cloud application used by the user. | keyword |
+| netskope.alert_v2.app_session_id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 minutes). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword |
+| netskope.alert_v2.appcategory | The application category. | keyword |
+| netskope.alert_v2.appsuite | The SAAS application suite ( Ex : Microsoft Office / Google Docs  etc ). | keyword |
+| netskope.alert_v2.audit_type | The sub category in audit according to SaaS / IaaS apps. | keyword |
+| netskope.alert_v2.bcc | Breach target references for compromised credentials or BCC users information in the case of SMTP DLP incident. | keyword |
+| netskope.alert_v2.breach_date | Breach Metric date for compromised credentials. | date |
+| netskope.alert_v2.breach_id | Breach description for compromised credentials. | keyword |
+| netskope.alert_v2.breach_score | Breach score for compromised credentials. | long |
+| netskope.alert_v2.browser | Shows the actual browser from where the cloud app was accessed.A native browser refers to Safari (iOS), Chrome (Android), or the default browser on the user's laptop. | keyword |
+| netskope.alert_v2.browser_session_id | Browser Session Id. | keyword |
+| netskope.alert_v2.cc | SMTP Proxy will parse the cc field in the email and send them to DLP in the event object. The cc recipients from the e-mail header, up to 1KB. | keyword |
+| netskope.alert_v2.cci | Cloud confidence Index value as Integer. | long |
+| netskope.alert_v2.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity.Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword |
+| netskope.alert_v2.client_bytes | Total number of bytes uploaded from client to server. | long |
+| netskope.alert_v2.client_packets | Total number of packets uploaded from client to server. | long |
+| netskope.alert_v2.computer_name | Computer name of the end point. | keyword |
+| netskope.alert_v2.conn_duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long |
+| netskope.alert_v2.conn_endtime | Connection end time. | date |
+| netskope.alert_v2.conn_starttime | Connection start time. | date |
+| netskope.alert_v2.connection_id | Each connection has a unique ID. Shows the ID for the connection event. | keyword |
+| netskope.alert_v2.connection_type | EndPoint DLP connection mode. | keyword |
+| netskope.alert_v2.custom_attr.usr_display_name | User display name from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_status | User status from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_title | User title from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_udf_businesssegmentlevel2 | Business segment level 2 from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_udf_businesssegmentlevel3 | Business segment level 3 from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_udf_companyname | Company name from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_udf_employeeid | Employee ID from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_udf_primarydomain | Primary domain from custom attributes. | keyword |
+| netskope.alert_v2.custom_attr.usr_udf_supervisorname | Supervisor name from custom attributes. | keyword |
+| netskope.alert_v2.destination_file_directory | The directory and filename of the destination file on the endpoint. | keyword |
+| netskope.alert_v2.destination_file_name | Endpoint DLP destination file name. | keyword |
+| netskope.alert_v2.destination_file_path | Endpoint DLP destination file path. | keyword |
+| netskope.alert_v2.detection_engine | Threat Detection engine name. | keyword |
+| netskope.alert_v2.device | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword |
+| netskope.alert_v2.device_classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword |
+| netskope.alert_v2.device_sn | Device serial number. | keyword |
+| netskope.alert_v2.device_type | Device type. | keyword |
+| netskope.alert_v2.dlp_file | File/Object name extracted from the file/object. | keyword |
+| netskope.alert_v2.dlp_fingerprint_classification | Fingerprint classification. | keyword |
+| netskope.alert_v2.dlp_fingerprint_match | Fingerprint classification match file name. | keyword |
+| netskope.alert_v2.dlp_fingerprint_score | Fingerprint classification score | long |
+| netskope.alert_v2.dlp_incident_id | Incident ID associated with sub-file in DLP scans. In the case of main file, this is same as the parent incident ID. | keyword |
+| netskope.alert_v2.dlp_is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean |
+| netskope.alert_v2.dlp_parent_id | Incident ID associated with main container (or non-container) file that was scanned. | keyword |
+| netskope.alert_v2.dlp_profile | DLP profile name. | keyword |
+| netskope.alert_v2.dlp_profile_name | DLP profile name. | keyword |
+| netskope.alert_v2.dlp_rule | DLP rule that triggered the scans. | keyword |
+| netskope.alert_v2.dlp_rule_count | Count of dlp rule hits. | long |
+| netskope.alert_v2.dlp_rule_score | DLP rule score for weighted dictionaries. | long |
+| netskope.alert_v2.dlp_rule_severity | Severity of DLP rule. | keyword |
+| netskope.alert_v2.dlp_unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long |
+| netskope.alert_v2.dns_profile | DNS profiles allow you to control, inspect, and log all or blocked DNS traffic. When configuring a DNS profile, you can configure the actions taken for specific domain categories and choose to allow or block specific domains. This field contains the configuration file name. | keyword |
+| netskope.alert_v2.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword |
+| netskope.alert_v2.domain_ip | Domain IP address. | ip |
+| netskope.alert_v2.driver | Driver name used by endpoint device. | keyword |
+| netskope.alert_v2.dst_country | Application's two-letter country code as determined by the Maxmind or IP2Location Geo Database. | keyword |
+| netskope.alert_v2.dst_geoip_src | Source from where the location of Destination IP was derived. | long |
+| netskope.alert_v2.dst_latitude | Latitude of the Application as determined by the Maxmind or IP2Location Geo Database. | double |
+| netskope.alert_v2.dst_latitude_keyword |  | keyword |
+| netskope.alert_v2.dst_location | Application's city as determined by the Maxmind or IP2Location Geo database. | keyword |
+| netskope.alert_v2.dst_longitude | Longitude of the Application as determined by the Maxmind or IP2Location Geo Database. | double |
+| netskope.alert_v2.dst_longitude_keyword |  | keyword |
+| netskope.alert_v2.dst_region | Application's state or region as determined by the Maxmind or IP2Location Geo Database. | keyword |
+| netskope.alert_v2.dst_timezone | Destination timezone. | keyword |
+| netskope.alert_v2.dst_zipcode | Application's zip code as determined by the Maxmind or IP2Location Geo Database. | keyword |
+| netskope.alert_v2.dsthost | Destination host. | keyword |
+| netskope.alert_v2.dstip | IP address where the destination app is hosted. | ip |
+| netskope.alert_v2.dstport | Destination port. | long |
+| netskope.alert_v2.email_title | Email subject. | keyword |
+| netskope.alert_v2.end_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | date |
+| netskope.alert_v2.event_uuid | Unique ID to recognize applation event activities. | keyword |
+| netskope.alert_v2.executable_hash | Flag to indicate if executable_hash is signed or not. | keyword |
+| netskope.alert_v2.executable_signed | Flag to indicate if executable_hash is signed or not. | boolean |
+| netskope.alert_v2.file_category | Type of file category. | keyword |
+| netskope.alert_v2.file_cls_encrypted | Its a boolean value representing  whether its CLS encrypted or not. | boolean |
+| netskope.alert_v2.file_exposure | File sharing exposure value for SaaS apps. | keyword |
+| netskope.alert_v2.file_id | Unique file id to recognize the file. | keyword |
+| netskope.alert_v2.file_origin | File origin source location. | keyword |
+| netskope.alert_v2.file_path | Path of the file in the application. | keyword |
+| netskope.alert_v2.file_size | Size of the file in bytes. | long |
+| netskope.alert_v2.file_type | File type as detected by Netskope Solutions. | keyword |
+| netskope.alert_v2.filename | Filename found during Malware threat detection. | keyword |
+| netskope.alert_v2.from_user | Email address used to login to the SAAS app. | keyword |
+| netskope.alert_v2.hostname | User's Host name. | keyword |
+| netskope.alert_v2.iaas_remediated | value representing whether IAAS alerts remediated or not. | boolean |
+| netskope.alert_v2.iaas_remediated_by | IAAS/CSA scan alerts can be remediated by taking remediation steps. This field captures the admin's email address who applied the remediation steps. | keyword |
+| netskope.alert_v2.iaas_remediated_on | IAAS/CSA scan alerts can be remediated by taking remediation steps. This field captures the time in epoch format when remediation steps were taken. | long |
+| netskope.alert_v2.iaas_remediation_action | IAAS/CSA scan alerts can be remediated by taking remediation steps. This field captures the action taken. | keyword |
+| netskope.alert_v2.incident_id | Unique Incident ID associated with main container (or non-container) file that was scanned. | keyword |
+| netskope.alert_v2.instance | Instance associated with an organization application instance. | keyword |
+| netskope.alert_v2.instance_id | Unique ID associated with an organization application instance. | keyword |
+| netskope.alert_v2.instance_name | App instances are configured while configuring policies. instance_name is the custom name chose by admin. | keyword |
+| netskope.alert_v2.ip_protocol | Assigned Internet Protocol Number. | keyword |
+| netskope.alert_v2.loc | Short name for location. | keyword |
+| netskope.alert_v2.local_md5 | MD5 of the sample which was calculated by Netskope's FastScan (TSS) service. | keyword |
+| netskope.alert_v2.local_sha1 | SHA1 of the sample which was calculated by Netskope's fastscan (TSS) service. | keyword |
+| netskope.alert_v2.local_sha256 | SHA256 of the sample which was calculated by Netskope's fastscan (TSS) service. | keyword |
+| netskope.alert_v2.location | A string that specifies the physical location of the printer (for example, Bldg. 38, Room 1164). | keyword |
+| netskope.alert_v2.mal_id | Unique id assigned to recognize the malware. | keyword |
+| netskope.alert_v2.mal_type | Type of malware detected. | keyword |
+| netskope.alert_v2.malware_id | Unique id assigned to recognize the malware. | keyword |
+| netskope.alert_v2.malware_severity | Malware Severity category. | keyword |
+| netskope.alert_v2.malware_type | Type of malware detected. | keyword |
+| netskope.alert_v2.managed_app | Whether or not the app in question is managed. | keyword |
+| netskope.alert_v2.managementID | Field value is attached to Devices Host Info Object. | keyword |
+| netskope.alert_v2.md5 | MD5 value of the file content. | keyword |
+| netskope.alert_v2.message_id | Unique message id used internally by NSProxy. | keyword |
+| netskope.alert_v2.mime_type | A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, or assortment of bytes. | keyword |
+| netskope.alert_v2.modified_date | File modification date found during malware detection. Timestamp in epoch format. | date |
+| netskope.alert_v2.netskope_pop | Netskope Data Plane name. | keyword |
+| netskope.alert_v2.network_session_id | Network session ID used by NPA services. | keyword |
+| netskope.alert_v2.nsdeviceuid | Device ID attached to Devices Host Info Object. | keyword |
+| netskope.alert_v2.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long |
+| netskope.alert_v2.oauth | Oauth is a standard that allows applications to access a user's data without the user needing to share their password. This field holds value if it was used or not. | keyword |
+| netskope.alert_v2.object | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.Incident object name and the value of the field represents the object details of the incident triggered. | keyword |
+| netskope.alert_v2.object_id | Unique ID associated with an object. | keyword |
+| netskope.alert_v2.object_type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword |
+| netskope.alert_v2.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword |
+| netskope.alert_v2.organization_unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword |
+| netskope.alert_v2.os | Operating system of the host who generated the event. | keyword |
+| netskope.alert_v2.os_details | Detailed OS version string. | keyword |
+| netskope.alert_v2.os_family | Operating system type of the end user's device. | keyword |
+| netskope.alert_v2.os_user_name | Username on the local machine that performs action. | keyword |
+| netskope.alert_v2.os_version | OS version of the host. | keyword |
+| netskope.alert_v2.owner | Owner or the user information of the file object in DLP. | keyword |
+| netskope.alert_v2.owner_pdl | File's owner Preferred Data Location derived from owner uid(OneDrive) and site URL(SharePoint). | keyword |
+| netskope.alert_v2.page | The URL of the originating page. | keyword |
+| netskope.alert_v2.parent_id | Parent ID ( event_id ) of an alert. | keyword |
+| netskope.alert_v2.pid | Process ID that is doing file processing ex:- A process that trigger the evaluation. | keyword |
+| netskope.alert_v2.policy | Name of the policy configured by an admin. | keyword |
+| netskope.alert_v2.policy_action | Endpoint DLP Policy action planned according to the policy. User can override the planned action or actual enforcement action might not be implemented. | keyword |
+| netskope.alert_v2.policy_name | Endpoint DLP Name of matching policy. | keyword |
+| netskope.alert_v2.policy_name_enforced | Actual action taken by Endpoint DLP Policy. | keyword |
+| netskope.alert_v2.policy_version | Endpoint DLP Policy name configured version number. | keyword |
+| netskope.alert_v2.pop_id | Netskope MPs/DPs unique id. | keyword |
+| netskope.alert_v2.port | A string that identifies the port(s) used to transmit data to the printer. If a printer is connected to more than one port, the names of each port must be separated by commas (for example, LPT1:,LPT2:,LPT3:). | keyword |
+| netskope.alert_v2.process_cert_subject | the subject of the certificate that signed the process. | keyword |
+| netskope.alert_v2.process_name | Endpoint process Name For example:- native application for Printer on User's Laptop. | keyword |
+| netskope.alert_v2.process_path | The path to the process that performed the action on the endpoint. | keyword |
+| netskope.alert_v2.product_id | It's Part of USB specification. Used to identify a USB device. | keyword |
+| netskope.alert_v2.publisher_cn | The publisher CName. | keyword |
+| netskope.alert_v2.quarantine_action_reason | Reason for the action taken for quarantine. | keyword |
+| netskope.alert_v2.record_type | Indicate the event type of the record. | keyword |
+| netskope.alert_v2.redirect_url | URL name where traffic is redirected based on the applied Policy. | keyword |
+| netskope.alert_v2.referer | Referer URL associated with an activity in a cloud app.Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | keyword |
+| netskope.alert_v2.region_id | Region ID as provided by the cloud provider AWS, GCP and Azure etc. | keyword |
+| netskope.alert_v2.region_name | Region Name as provided by the cloud provider AWS, GCP and Azure etc. | keyword |
+| netskope.alert_v2.related_malware | This field contains the malware information attached to UEBA anomaly detection. | keyword |
+| netskope.alert_v2.req_cnt | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long |
+| netskope.alert_v2.request_id | Unique id attached to proxy activity events and dlp activity events. | keyword |
+| netskope.alert_v2.resource_category | IAAS assets resource category of the Cloud providers AWS, GCP and Azure etc. For Example Amazon EC2, Amazon ECS are categorized as Compute whereas Amazon RDS and DynamoDB are categorized as database. | keyword |
+| netskope.alert_v2.resource_group | Cloud providers AWS, GCP and Azure have entities called resource groups that organize resources such as VMs, storage, and virtual networking devices etc. | keyword |
+| netskope.alert_v2.resp_cnt | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long |
+| netskope.alert_v2.risk_level_id | This field is set by both RBA and MLAD anomaly engines for every anomaly that's detected. MLAD always sets individual anomalies risk-level to 0 (low). RBA has different rules. | keyword |
+| netskope.alert_v2.sa_profile_name | IAAS/CSA profile Name as provided by cloud providers AWS, GCP and Azure etc. | keyword |
+| netskope.alert_v2.sa_rule_name | IAAS/CSA rule name configured for scans to run on data stored in cloud providers AWS, GCP and Azure data. | keyword |
+| netskope.alert_v2.sa_rule_severity | IAAS/CSA rule severity as captured by backend policy engines. | keyword |
+| netskope.alert_v2.sanctioned_instance | A sanctioned instance is a company owned account in an external application. A value of yes indicates that the company has granted    access for the specific SaaS / IaaS account to Netskope. A value of no    represents a personal user account or an enterprise account not    authorized by the enterprise Administrator. | keyword |
+| netskope.alert_v2.sender | Sender email information related to introspection's support for MS Teams app. | keyword |
+| netskope.alert_v2.server_bytes | Total number of downloaded bytes from server to client. | long |
+| netskope.alert_v2.server_packets | Total number of server packet from server to client. | long |
+| netskope.alert_v2.session_duration | Session duration of a session. | long |
+| netskope.alert_v2.severity | Severity used by watchlist and malware alerts. Severity of the incident. | keyword |
+| netskope.alert_v2.severity_id | Malware severity category ids. These ids are mapped with severity category values like high, low, medium etc. | keyword |
+| netskope.alert_v2.severity_level | Severity level of the Malsite ( High / Med / Low). | keyword |
+| netskope.alert_v2.sha256 | Sha256 value of a file. | keyword |
+| netskope.alert_v2.sharedType | Object shared type detected for the DLP incidents. | keyword |
+| netskope.alert_v2.shared_credential_user | Denotes the value of the credential being shared by multiple users. | keyword |
+| netskope.alert_v2.shared_domains | List of domains of users the document is shared with. | keyword |
+| netskope.alert_v2.shared_with | Email ids with whom a document is shared with. | keyword |
+| netskope.alert_v2.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in www.cnn.com, it is cnn.com. | keyword |
+| netskope.alert_v2.smtp_status | Customers can configure Netskope SMTP Proxy with Microsoft O365 Exchange, all outgoing emails from Microsoft O365 Exchange are sent to Netskope SMTP Proxy for policy evaluation and will send Back to Exchange  for mail delivery. This field denotes the status code for ex:- SMTP status 250 shows successful delivery of mail. | keyword |
+| netskope.alert_v2.src_country | User's country's two-letter Country Code as determined by the Maxmind or IP2Location Geo Database. | keyword |
+| netskope.alert_v2.src_geoip_src | Source from where the location of Source IP was derived. | long |
+| netskope.alert_v2.src_latitude | Latitude of the user as determined by the Maxmind or IP2Location Geo database. | double |
+| netskope.alert_v2.src_latitude_keyword |  | keyword |
+| netskope.alert_v2.src_location | User's city as determined by the Maxmind or IP2Location Geo Database. | keyword |
+| netskope.alert_v2.src_longitude | Longitude of the user as determined by the Maxmind or IP2Location Geo database. | double |
+| netskope.alert_v2.src_longitude_keyword |  | keyword |
+| netskope.alert_v2.src_region | Source state or region as determined by the Maxmind or IP2Location Geo database. | keyword |
+| netskope.alert_v2.src_timezone | Source timezone for the location at which the event is created. Shows the long format timezone designation. | keyword |
+| netskope.alert_v2.src_zipcode | Source zip code for the location at which the event is created as determined by the Maxmind or IP2Location Geo Database. | keyword |
+| netskope.alert_v2.srcip | IP address of source/user where event is created. | ip |
+| netskope.alert_v2.srcport | Port used by the source/user where event is created. It is used by NPA applications. | long |
+| netskope.alert_v2.start_time | Capture NPA user's session start time. | date |
+| netskope.alert_v2.subject | value present in the email subject captured during DLP email scans. | keyword |
+| netskope.alert_v2.suppression_count | Number of events suppressed. | keyword |
+| netskope.alert_v2.telemetry_app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data.When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in theTelemetry App field. | keyword |
+| netskope.alert_v2.threat_type | Type of threat detected. | keyword |
+| netskope.alert_v2.timestamp | Timestamp when the event/alert happened. Event timestamp in Unix epoch format. | date |
+| netskope.alert_v2.to_user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword |
+| netskope.alert_v2.total_packets | Total value of Server Packets + Client Packets. | long |
+| netskope.alert_v2.traffic_type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword |
+| netskope.alert_v2.transaction_id | Unique ID for a given request/response. | keyword |
+| netskope.alert_v2.tss_license | Indicates if malware license is enabled for the tenant or not. | keyword |
+| netskope.alert_v2.tss_mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword |
+| netskope.alert_v2.tunnel_id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword |
+| netskope.alert_v2.two_factor_auth | Two factor authentication is enabled or not. | keyword |
+| netskope.alert_v2.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword |
+| netskope.alert_v2.unc_path | The Universal Naming Convention path of the network file share, or printer. | keyword |
+| netskope.alert_v2.ur_normalized | All lower case user email. | keyword |
+| netskope.alert_v2.url | URL of the application that the user visited as provided by the log or data plane traffic. | wildcard |
+| netskope.alert_v2.user | User email. | keyword |
+| netskope.alert_v2.user_confidence_index | UCI (User Confidence Index) is one of the ways that UEBA describes how risky the user’s behavior is. The lower UCI is, the more risky the user behavior is. The UCI starts from an initial value and is deducted an amount when the user’s behavior is detected to be anomaly by UEBA engine. The user’s UCI is daily-based, i.e. UEBA engine will create the new UCI with an initial score for users when an UTC day starts. Each user is supposed to start from 1000, but his/her previous day performance will rollover to current day and therefore impact the initial UCI. | long |
+| netskope.alert_v2.user_confidence_level | UCI (User Confidence Index) is one of the ways that UEBA describes how risky the user’s behavior is. User confidence level field holds risk level values. | keyword |
+| netskope.alert_v2.user_id | User email. | keyword |
+| netskope.alert_v2.useragent | The User-Agent request header value. | keyword |
+| netskope.alert_v2.usergroup | Custom attributes added by customer using ADImporter. | keyword |
+| netskope.alert_v2.userip | IP address of User. | ip |
+| netskope.alert_v2.userkey | User ID or email. | keyword |
+| netskope.alert_v2.vendor_id | Netskope's Vendor id. | keyword |
+| netskope.alert_v2.watchlist_name | Name given by admins while creating watchlist by selecting different filters on webUI. | keyword |
+| netskope.alert_v2.web_url | Endpoint configured by customer to fetch Filemeta scan etc. | keyword |
+
+
+An example event for `alerts_v2` looks as following:
+
+```json
+{
+    "@timestamp": "2025-05-13T11:02:02.000Z",
+    "agent": {
+        "ephemeral_id": "1caa7082-bf2e-4fc9-bdac-3673d20f986f",
+        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
+        "name": "elastic-agent-55769",
+        "type": "filebeat",
+        "version": "8.17.8"
+    },
+    "aws": {
+        "s3": {
+            "bucket": {
+                "arn": "arn:aws:s3:::elastic-package-netskope-alert-v2-bucket-59128",
+                "name": "elastic-package-netskope-alert-v2-bucket-59128"
+            },
+            "object": {
+                "key": "test-alerts-v2.csv.gz"
+            }
+        }
+    },
+    "cloud": {
+        "region": "us-east-1"
+    },
+    "data_stream": {
+        "dataset": "netskope.alerts_v2",
+        "namespace": "89449",
+        "type": "logs"
+    },
+    "destination": {
+        "geo": {
+            "city_name": "Stockholm",
+            "country_iso_code": "SE",
+            "postal_code": "100 04",
+            "region_name": "Stockholm County",
+            "timezone": "Europe/Stockholm"
+        },
+        "ip": "81.2.69.142",
+        "port": 443
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "elastic_agent": {
+        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
+        "snapshot": false,
+        "version": "8.17.8"
+    },
+    "event": {
+        "action": "alert",
+        "agent_id_status": "verified",
+        "dataset": "netskope.alerts_v2",
+        "id": "eb8fc9903c2fbb6aa05537ff",
+        "ingested": "2025-07-17T11:04:37Z",
+        "kind": "alert",
+        "original": "{\"_id\":\"eb8fc9903c2fbb6aa05537ff\",\"access_method\":\"Client\",\"account_id\":\"-\",\"account_name\":\"-\",\"acked\":\"false\",\"act_user\":\"-\",\"acting_user\":\"-\",\"action\":\"alert\",\"activity\":\"Edit\",\"alert\":\"yes\",\"alert_id\":\"-\",\"alert_name\":\"Web Access Allow\",\"alert_source\":\"-\",\"alert_type\":\"policy\",\"app\":\"Amazon Systems Manager\",\"app-gdpr-level\":\"-\",\"app_session_id\":\"2241753685910532990\",\"appact\":\"-\",\"appcategory\":\"IT Service/Application Management\",\"appsuite\":\"Amazon\",\"assignee\":\"-\",\"audit_type\":\"-\",\"bcc\":\"-\",\"breach_date\":\"-\",\"breach_id\":\"-\",\"breach_score\":\"-\",\"browser\":\"Native\",\"browser_session_id\":\"4940241048203471891\",\"cc\":\"-\",\"cci\":\"92\",\"ccl\":\"excellent\",\"client_bytes\":\"-\",\"client_packets\":\"-\",\"cloud_provider\":\"-\",\"computer_name\":\"-\",\"conn_duration\":\"-\",\"conn_endtime\":\"-\",\"conn_starttime\":\"-\",\"connection_id\":\"2631086121425559188\",\"connection_type\":\"-\",\"custom_attr\":\"-\",\"destination_file_directory\":\"-\",\"destination_file_name\":\"-\",\"destination_file_path\":\"-\",\"detection_engine\":\"-\",\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"device_sn\":\"-\",\"device_type\":\"-\",\"dinsid\":\"-\",\"dlp_file\":\"-\",\"dlp_fingerprint_classification\":\"-\",\"dlp_fingerprint_match\":\"-\",\"dlp_fingerprint_score\":\"-\",\"dlp_incident_id\":\"-\",\"dlp_is_unique_count\":\"-\",\"dlp_match_info\":\"-\",\"dlp_parent_id\":\"-\",\"dlp_profile\":\"-\",\"dlp_profile_name\":\"-\",\"dlp_rule\":\"-\",\"dlp_rule_count\":\"-\",\"dlp_rule_score\":\"-\",\"dlp_rule_severity\":\"-\",\"dlp_unique_count\":\"-\",\"dns_profile\":\"-\",\"domain\":\"ssm.eu-north-1.amazonaws.com\",\"domain_ip\":\"-\",\"driver\":\"-\",\"dst_country\":\"SE\",\"dst_geoip_src\":\"-\",\"dst_latitude\":\"18.0717|59.328699999999998\",\"dst_location\":\"Stockholm\",\"dst_longitude\":\"18.0717|59.328699999999998\",\"dst_region\":\"Stockholm County\",\"dst_timezone\":\"Europe/Stockholm\",\"dst_zipcode\":\"100 04\",\"dsthost\":\"-\",\"dstip\":\"81.2.69.142\",\"dstport\":\"443\",\"eeml\":\"-\",\"email_from_user\":\"-\",\"email_modified\":\"-\",\"email_title\":\"-\",\"email_user\":\"-\",\"encryption_status\":\"-\",\"end_time\":\"-\",\"event_uuid\":\"-\",\"executable_hash\":\"-\",\"executable_signed\":\"-\",\"file_category\":\"-\",\"file_cls_encrypted\":\"-\",\"file_exposure\":\"-\",\"file_id\":\"-\",\"file_md5\":\"-\",\"file_origin\":\"-\",\"file_owner\":\"-\",\"file_path\":\"-\",\"file_pdl\":\"-\",\"file_size\":\"-\",\"file_type\":\"-\",\"filename\":\"-\",\"filepath\":\"-\",\"fllg\":\"-\",\"flpp\":\"-\",\"from_user\":\"-\",\"hostname\":\"Test-IDMHT6TII\",\"iaas_remediated\":\"-\",\"iaas_remediated_by\":\"-\",\"iaas_remediated_on\":\"-\",\"iaas_remediation_action\":\"-\",\"incident_id\":\"5254981775376249392\",\"inline_dlp_match_info\":\"-\",\"instance\":\"-\",\"instance_id\":\"202533540828\",\"instance_name\":\"-\",\"ip_protocol\":\"-\",\"latest_incident_id\":\"-\",\"loc\":\"-\",\"local_md5\":\"-\",\"local_sha1\":\"-\",\"local_sha256\":\"-\",\"local_source_time\":\"-\",\"location\":\"-\",\"mal_id\":\"-\",\"mal_sev\":\"-\",\"mal_type\":\"-\",\"malware_id\":\"-\",\"malware_severity\":\"-\",\"malware_type\":\"-\",\"managed_app\":\"no\",\"managementID\":\"-\",\"md5\":\"-\",\"message_id\":\"-\",\"mime_type\":\"-\",\"modified_date\":\"-\",\"netskope_pop\":\"SE-STO1\",\"network_session_id\":\"-\",\"nsdeviceuid\":\"-\",\"num_users\":\"-\",\"numbytes\":\"-\",\"oauth\":\"-\",\"object\":\"-\",\"object_id\":\"-\",\"object_type\":\"-\",\"org\":\"-\",\"organization_unit\":\"-\",\"os\":\"Windows 11\",\"os_details\":\"-\",\"os_family\":\"Windows\",\"os_user_name\":\"-\",\"os_version\":\"Windows NT 11.0\",\"owner\":\"-\",\"owner_pdl\":\"-\",\"page\":\"ssm.eu-north-1.amazonaws.com\",\"parent_id\":\"-\",\"pid\":\"-\",\"policy\":\"Web Access Allow\",\"policy_action\":\"-\",\"policy_name\":\"-\",\"policy_name_enforced\":\"-\",\"policy_version\":\"-\",\"pop_id\":\"-\",\"port\":\"443\",\"process_cert_subject\":\"-\",\"process_name\":\"-\",\"process_path\":\"-\",\"product_id\":\"-\",\"publisher_cn\":\"-\",\"record_type\":\"alert\",\"redirect_url\":\"-\",\"referer\":\"-\",\"region_id\":\"-\",\"region_name\":\"-\",\"req\":\"-\",\"req_cnt\":\"-\",\"request_id\":\"5254981775376249392\",\"resource_category\":\"-\",\"resource_group\":\"-\",\"resp\":\"-\",\"resp_cnt\":\"-\",\"response_time\":\"-\",\"risk_level_id\":\"-\",\"risk_score\":\"-\",\"sa_profile_name\":\"-\",\"sa_rule_compliance\":\"-\",\"sa_rule_name\":\"-\",\"sa_rule_severity\":\"-\",\"sanctioned_instance\":\"-\",\"sender\":\"-\",\"server_bytes\":\"-\",\"server_packets\":\"-\",\"serverity\":\"-\",\"session_duration\":\"-\",\"session_number_unique\":\"-\",\"severity\":\"-\",\"severity_id\":\"-\",\"severity_level\":\"-\",\"sha256\":\"-\",\"sharedType\":\"-\",\"shared_credential_user\":\"-\",\"shared_domains\":\"-\",\"shared_with\":\"-\",\"site\":\"Amazon Systems Manager\",\"smtp_status\":\"-\",\"smtp_to\":\"-\",\"spet\":\"-\",\"spst\":\"-\",\"src_country\":\"SE\",\"src_geoip_src\":\"-\",\"src_latitude\":\"18.0717|59.328699999999998\",\"src_location\":\"Stockholm\",\"src_longitude\":\"18.0717|59.328699999999998\",\"src_network\":\"-\",\"src_region\":\"Stockholm County\",\"src_timezone\":\"Europe/Stockholm\",\"src_zipcode\":\"100 04\",\"srcip\":\"81.2.69.142\",\"srcport\":\"-\",\"start_time\":\"-\",\"status\":\"-\",\"subject\":\"-\",\"subtype\":\"-\",\"suppression_count\":\"-\",\"tags\":\"-\",\"telemetry_app\":\"-\",\"thr\":\"-\",\"threat_type\":\"-\",\"timestamp\":\"1747134122\",\"to_user\":\"-\",\"total_packets\":\"-\",\"traffic_type\":\"CloudApp\",\"transaction_id\":\"5254981775376249392\",\"tss_license\":\"-\",\"tss_mode\":\"-\",\"tunnel_id\":\"-\",\"tur\":\"-\",\"two_factor_auth\":\"-\",\"type\":\"nspolicy\",\"unc_path\":\"-\",\"ur_normalized\":\"test@gmail.com\",\"url\":\"ssm.eu-north-1.amazonaws.com/\",\"user\":\"test@gmail.com\",\"user_confidence_index\":\"-\",\"user_confidence_level\":\"-\",\"user_id\":\"-\",\"useragent\":\"aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0\",\"usergroup\":\"-\",\"userip\":\"81.2.69.142\",\"userkey\":\"test@gmail.com\",\"vendor_id\":\"-\",\"violation\":\"-\",\"watchlist_name\":\"-\",\"web_url\":\"-\"}"
+    },
+    "host": {
+        "domain": "ssm.eu-north-1.amazonaws.com",
+        "name": "Test-IDMHT6TII",
+        "os": {
+            "family": "Windows",
+            "full": "Windows 11",
+            "version": "Windows NT 11.0"
+        }
+    },
+    "input": {
+        "type": "aws-s3"
+    },
+    "log": {
+        "file": {
+            "path": "https://elastic-package-netskope-alert-v2-bucket-59128.s3.us-east-1.amazonaws.com/test-alerts-v2.csv.gz"
+        },
+        "offset": 4504
+    },
+    "netskope": {
+        "alert_v2": {
+            "access_method": "Client",
+            "acked": false,
+            "activity": "Edit",
+            "alert": "yes",
+            "alert_type": "policy",
+            "app_session_id": "2241753685910532990",
+            "appcategory": "IT Service/Application Management",
+            "appsuite": "Amazon",
+            "browser": "Native",
+            "browser_session_id": "4940241048203471891",
+            "cci": 92,
+            "ccl": "excellent",
+            "connection_id": "2631086121425559188",
+            "device": "Windows Device",
+            "device_classification": "unmanaged",
+            "dst_latitude_keyword": "18.0717|59.328699999999998",
+            "dst_longitude_keyword": "18.0717|59.328699999999998",
+            "incident_id": "5254981775376249392",
+            "instance_id": "202533540828",
+            "managed_app": "no",
+            "netskope_pop": "SE-STO1",
+            "page": "ssm.eu-north-1.amazonaws.com",
+            "policy": "Web Access Allow",
+            "port": "443",
+            "record_type": "alert",
+            "request_id": "5254981775376249392",
+            "site": "Amazon Systems Manager",
+            "src_latitude_keyword": "18.0717|59.328699999999998",
+            "src_longitude_keyword": "18.0717|59.328699999999998",
+            "traffic_type": "CloudApp",
+            "transaction_id": "5254981775376249392",
+            "type": "nspolicy",
+            "ur_normalized": "test@gmail.com",
+            "userip": "81.2.69.142",
+            "userkey": "test@gmail.com"
+        }
+    },
+    "network": {
+        "application": "amazon systems manager"
+    },
+    "related": {
+        "hosts": [
+            "ssm.eu-north-1.amazonaws.com",
+            "Test-IDMHT6TII"
+        ],
+        "ip": [
+            "81.2.69.142"
+        ],
+        "user": [
+            "test@gmail.com"
+        ]
+    },
+    "rule": {
+        "name": "Web Access Allow"
+    },
+    "source": {
+        "geo": {
+            "city_name": "Stockholm",
+            "country_iso_code": "SE",
+            "postal_code": "100 04",
+            "region_name": "Stockholm County",
+            "timezone": "Europe/Stockholm"
+        },
+        "ip": "81.2.69.142"
+    },
+    "tags": [
+        "collect_sqs_logs",
+        "preserve_original_event",
+        "forwarded",
+        "netskope-alerts"
+    ],
+    "url": {
+        "original": "ssm.eu-north-1.amazonaws.com/"
+    },
+    "user": {
+        "email": "test@gmail.com"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Other"
+        },
+        "name": "aws-sdk-go",
+        "original": "aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0",
+        "version": "1.55.5"
+    }
+}
+```
+
 ### Events
 
 **Exported fields**
diff --git a/packages/netskope/img/netskope-alerts-v2-screenshot.png b/packages/netskope/img/netskope-alerts-v2-screenshot.png
new file mode 100644
index 00000000000..1e44c7975e0
Binary files /dev/null and b/packages/netskope/img/netskope-alerts-v2-screenshot.png differ
diff --git a/packages/netskope/kibana/dashboard/netskope-eaf804d1-abd2-438b-881d-5e47462f06fc.json b/packages/netskope/kibana/dashboard/netskope-eaf804d1-abd2-438b-881d-5e47462f06fc.json
new file mode 100644
index 00000000000..a5d352dea37
--- /dev/null
+++ b/packages/netskope/kibana/dashboard/netskope-eaf804d1-abd2-438b-881d-5e47462f06fc.json
@@ -0,0 +1,2632 @@
+{
+    "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+            "searchSourceJSON": {
+                "filter": [
+                    {
+                        "$state": {
+                            "store": "appState"
+                        },
+                        "meta": {
+                            "alias": null,
+                            "disabled": false,
+                            "field": "data_stream.dataset",
+                            "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+                            "key": "data_stream.dataset",
+                            "negate": false,
+                            "params": {
+                                "query": "netskope.alerts_v2"
+                            },
+                            "type": "phrase"
+                        },
+                        "query": {
+                            "match_phrase": {
+                                "data_stream.dataset": "netskope.alerts_v2"
+                            }
+                        }
+                    }
+                ],
+                "query": {
+                    "language": "kuery",
+                    "query": ""
+                }
+            }
+        },
+        "optionsJSON": {
+            "hidePanelTitles": false,
+            "syncColors": false,
+            "syncCursor": true,
+            "syncTooltips": false,
+            "useMargins": true
+        },
+        "panelsJSON": [
+            {
+                "embeddableConfig": {
+                    "enhancements": {},
+                    "savedVis": {
+                        "data": {
+                            "aggs": [],
+                            "searchSource": {
+                                "filter": [],
+                                "query": {
+                                    "language": "kuery",
+                                    "query": ""
+                                }
+                            }
+                        },
+                        "description": "",
+                        "id": "",
+                        "params": {
+                            "fontSize": 12,
+                            "markdown": "**Overview**\n\nThis dashboard shows Alerts data collected by the Netskope integration via log streaming method. \n\nIt highlights key aspects such as alert activities, types, severity levels, user involvement, and impacted applications. Visualizations include distributions by browser, app category, and region, along with alert trends over time. \n\nThese insights help security teams quickly identify policy violations, threats, and anomalies across users and environments.",
+                            "openLinksInNewTab": false
+                        },
+                        "title": "",
+                        "type": "markdown",
+                        "uiState": {}
+                    }
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "aae63221-3459-42e4-9351-5e03f54642bd",
+                    "w": 18,
+                    "x": 0,
+                    "y": 0
+                },
+                "panelIndex": "aae63221-3459-42e4-9351-5e03f54642bd",
+                "title": "Table of Content",
+                "type": "visualization"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-60439b88-0a1f-47cc-af50-627713c49efb",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "60439b88-0a1f-47cc-af50-627713c49efb": {
+                                            "columnOrder": [
+                                                "9f34c54f-960c-4a25-a315-c9db5d8f756d",
+                                                "3c270e4c-1b21-4216-b674-2877d6d38758"
+                                            ],
+                                            "columns": {
+                                                "3c270e4c-1b21-4216-b674-2877d6d38758": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Alerts",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "9f34c54f-960c-4a25-a315-c9db5d8f756d": {
+                                                    "customLabel": true,
+                                                    "dataType": "date",
+                                                    "isBucketed": true,
+                                                    "label": "Timestamp",
+                                                    "operationType": "date_histogram",
+                                                    "params": {
+                                                        "dropPartials": false,
+                                                        "includeEmptyRows": true,
+                                                        "interval": "auto"
+                                                    },
+                                                    "scale": "interval",
+                                                    "sourceField": "@timestamp"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "3c270e4c-1b21-4216-b674-2877d6d38758"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "60439b88-0a1f-47cc-af50-627713c49efb",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "line",
+                                        "showGridlines": false,
+                                        "xAccessor": "9f34c54f-960c-4a25-a315-c9db5d8f756d"
+                                    }
+                                ],
+                                "legend": {
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "showSingleSeries": false
+                                },
+                                "preferredSeriesType": "line",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "ec6a2ab2-e89d-40f7-ab6d-d05565bd2c92",
+                    "w": 30,
+                    "x": 18,
+                    "y": 0
+                },
+                "panelIndex": "ec6a2ab2-e89d-40f7-ab6d-d05565bd2c92",
+                "title": "Alert Trends Over Time [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-776fc982-61ab-4920-bb29-5e0a09963409",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "776fc982-61ab-4920-bb29-5e0a09963409": {
+                                            "columnOrder": [
+                                                "c7de6e81-13f6-44ce-a5c2-d3e557a683ee",
+                                                "e363628d-b8fe-46db-84d3-30f01fa3ea53"
+                                            ],
+                                            "columns": {
+                                                "c7de6e81-13f6-44ce-a5c2-d3e557a683ee": {
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Top 5 values of netskope.alert_v2.alert_type",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "e363628d-b8fe-46db-84d3-30f01fa3ea53",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.alert_type"
+                                                },
+                                                "e363628d-b8fe-46db-84d3-30f01fa3ea53": {
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count of records",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "776fc982-61ab-4920-bb29-5e0a09963409",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "e363628d-b8fe-46db-84d3-30f01fa3ea53"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "c7de6e81-13f6-44ce-a5c2-d3e557a683ee"
+                                        ]
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "1654ef22-8a05-4043-a2cb-8ba47caa7065",
+                    "w": 24,
+                    "x": 0,
+                    "y": 15
+                },
+                "panelIndex": "1654ef22-8a05-4043-a2cb-8ba47caa7065",
+                "title": "Distribution of Alerts by Alert Type [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-96cffafa-db69-447e-8442-b0184a6e6e88",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "96cffafa-db69-447e-8442-b0184a6e6e88": {
+                                            "columnOrder": [
+                                                "51a2f74c-5a7b-44f3-aa1a-515f63e31096",
+                                                "0b16591c-90eb-4d3b-b14d-e5713320081d"
+                                            ],
+                                            "columns": {
+                                                "0b16591c-90eb-4d3b-b14d-e5713320081d": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "51a2f74c-5a7b-44f3-aa1a-515f63e31096": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Filters",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "0b16591c-90eb-4d3b-b14d-e5713320081d",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.acked"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "96cffafa-db69-447e-8442-b0184a6e6e88",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "0b16591c-90eb-4d3b-b14d-e5713320081d"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "51a2f74c-5a7b-44f3-aa1a-515f63e31096"
+                                        ]
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "606b2f24-d6d8-4320-99cf-77198461cfd9",
+                    "w": 24,
+                    "x": 24,
+                    "y": 15
+                },
+                "panelIndex": "606b2f24-d6d8-4320-99cf-77198461cfd9",
+                "title": "Distribution of Alerts by Acknowledgement [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-bef467e4-b44a-420e-814f-e9adbb6a8bda",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "bef467e4-b44a-420e-814f-e9adbb6a8bda": {
+                                            "columnOrder": [
+                                                "c15b121e-b64b-4c56-a6fe-fc4b9306faba",
+                                                "528f4048-180a-4005-9ef9-c70adc1fe143"
+                                            ],
+                                            "columns": {
+                                                "528f4048-180a-4005-9ef9-c70adc1fe143": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "c15b121e-b64b-4c56-a6fe-fc4b9306faba": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Access Method",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "528f4048-180a-4005-9ef9-c70adc1fe143",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.access_method"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "bef467e4-b44a-420e-814f-e9adbb6a8bda",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "528f4048-180a-4005-9ef9-c70adc1fe143"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "c15b121e-b64b-4c56-a6fe-fc4b9306faba"
+                                        ]
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "566caf29-6ddc-4b0e-975e-a3405fa3e685",
+                    "w": 24,
+                    "x": 0,
+                    "y": 30
+                },
+                "panelIndex": "566caf29-6ddc-4b0e-975e-a3405fa3e685",
+                "title": "Distribution of Alerts by Access Method [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-9b77c9ff-c5e8-4898-9f8a-de5e142bb849",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "9b77c9ff-c5e8-4898-9f8a-de5e142bb849": {
+                                            "columnOrder": [
+                                                "38354a17-6dda-470a-a217-93d95bccbf84",
+                                                "e0578474-1208-4fc5-9553-091f182306b8"
+                                            ],
+                                            "columns": {
+                                                "38354a17-6dda-470a-a217-93d95bccbf84": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Activity",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "e0578474-1208-4fc5-9553-091f182306b8",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.activity"
+                                                },
+                                                "e0578474-1208-4fc5-9553-091f182306b8": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "38354a17-6dda-470a-a217-93d95bccbf84"
+                                    },
+                                    {
+                                        "columnId": "e0578474-1208-4fc5-9553-091f182306b8"
+                                    }
+                                ],
+                                "layerId": "9b77c9ff-c5e8-4898-9f8a-de5e142bb849",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "841445d9-0aa7-48ac-af5e-b90460d75eec",
+                    "w": 24,
+                    "x": 24,
+                    "y": 30
+                },
+                "panelIndex": "841445d9-0aa7-48ac-af5e-b90460d75eec",
+                "title": "Distribution of Alerts by Activity [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-8a5abe5e-0bbc-4178-97a3-cb7e657b0b1a",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "8a5abe5e-0bbc-4178-97a3-cb7e657b0b1a": {
+                                            "columnOrder": [
+                                                "dd4b1f60-0325-4503-9681-189eb5574232",
+                                                "1975e83a-db9a-4bc6-8241-31f6dfab97f2"
+                                            ],
+                                            "columns": {
+                                                "1975e83a-db9a-4bc6-8241-31f6dfab97f2": {
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count of records",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "dd4b1f60-0325-4503-9681-189eb5574232": {
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Top 5 values of user_agent.name",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "1975e83a-db9a-4bc6-8241-31f6dfab97f2",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "secondaryFields": [],
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "user_agent.name"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "e1feea12-f170-489d-ade2-f8a8fe2e7d6f",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "netskope.alerts_v2"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "data_stream.dataset": "netskope.alerts_v2"
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "8a5abe5e-0bbc-4178-97a3-cb7e657b0b1a",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "1975e83a-db9a-4bc6-8241-31f6dfab97f2"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "dd4b1f60-0325-4503-9681-189eb5574232"
+                                        ]
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "da78be7c-c9a3-49f5-bdeb-6b5624b1e0b3",
+                    "w": 24,
+                    "x": 0,
+                    "y": 45
+                },
+                "panelIndex": "da78be7c-c9a3-49f5-bdeb-6b5624b1e0b3",
+                "title": "Distribution of Alerts by Browser [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-faca8a77-7726-4af0-9717-56d38ac51cb6",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "faca8a77-7726-4af0-9717-56d38ac51cb6": {
+                                            "columnOrder": [
+                                                "4b1b3d0e-d94b-4d7b-b9b8-88eba25359ad",
+                                                "1e2d1ba8-9933-46ca-938c-fb206fdafeea"
+                                            ],
+                                            "columns": {
+                                                "1e2d1ba8-9933-46ca-938c-fb206fdafeea": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "4b1b3d0e-d94b-4d7b-b9b8-88eba25359ad": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Applications",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "1e2d1ba8-9933-46ca-938c-fb206fdafeea",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "network.application"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "4b1b3d0e-d94b-4d7b-b9b8-88eba25359ad"
+                                    },
+                                    {
+                                        "columnId": "1e2d1ba8-9933-46ca-938c-fb206fdafeea"
+                                    }
+                                ],
+                                "layerId": "faca8a77-7726-4af0-9717-56d38ac51cb6",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "b0d88df6-2d00-4fb8-b99f-a4ecd30e080e",
+                    "w": 24,
+                    "x": 24,
+                    "y": 45
+                },
+                "panelIndex": "b0d88df6-2d00-4fb8-b99f-a4ecd30e080e",
+                "title": "Top 10 Apps [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-1ab07a13-6691-4ed0-b24f-5118c5e787ae",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "1ab07a13-6691-4ed0-b24f-5118c5e787ae": {
+                                            "columnOrder": [
+                                                "cb0f9daf-95db-4245-b407-99f6dfab1d30",
+                                                "cc31fa32-ebc1-4f7e-8a62-ea71e115185a"
+                                            ],
+                                            "columns": {
+                                                "cb0f9daf-95db-4245-b407-99f6dfab1d30": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "App Category",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "cc31fa32-ebc1-4f7e-8a62-ea71e115185a",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.appcategory"
+                                                },
+                                                "cc31fa32-ebc1-4f7e-8a62-ea71e115185a": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "cc31fa32-ebc1-4f7e-8a62-ea71e115185a"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "1ab07a13-6691-4ed0-b24f-5118c5e787ae",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "bar_stacked",
+                                        "showGridlines": false,
+                                        "xAccessor": "cb0f9daf-95db-4245-b407-99f6dfab1d30",
+                                        "yConfig": [
+                                            {
+                                                "axisMode": "auto",
+                                                "forAccessor": "cc31fa32-ebc1-4f7e-8a62-ea71e115185a"
+                                            }
+                                        ]
+                                    }
+                                ],
+                                "legend": {
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "bar_stacked",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "f5a3737d-cf0f-4f19-b70a-ae80ed2579a0",
+                    "w": 24,
+                    "x": 0,
+                    "y": 60
+                },
+                "panelIndex": "f5a3737d-cf0f-4f19-b70a-ae80ed2579a0",
+                "title": "Distribution of Alerts by App Category [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-01b362b3-11c8-4d02-b19f-eac404030305",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "01b362b3-11c8-4d02-b19f-eac404030305": {
+                                            "columnOrder": [
+                                                "a22ca819-5eca-42e7-bcbf-95b10d80b7c6",
+                                                "07ca9faa-1c30-4d7d-b951-292329a7c248"
+                                            ],
+                                            "columns": {
+                                                "07ca9faa-1c30-4d7d-b951-292329a7c248": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "a22ca819-5eca-42e7-bcbf-95b10d80b7c6": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Cloud Confidence Level",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "07ca9faa-1c30-4d7d-b951-292329a7c248",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.ccl"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "07ca9faa-1c30-4d7d-b951-292329a7c248"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "01b362b3-11c8-4d02-b19f-eac404030305",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "bar_stacked",
+                                        "showGridlines": false,
+                                        "xAccessor": "a22ca819-5eca-42e7-bcbf-95b10d80b7c6"
+                                    }
+                                ],
+                                "legend": {
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "bar_stacked",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "e1f65192-57a7-4441-a28c-4a6327c6b737",
+                    "w": 24,
+                    "x": 24,
+                    "y": 60
+                },
+                "panelIndex": "e1f65192-57a7-4441-a28c-4a6327c6b737",
+                "title": "Distribution of Alerts by Cloud Confidence Level [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-dccaa845-4e82-463d-8a14-aff2b913adc8",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "dccaa845-4e82-463d-8a14-aff2b913adc8": {
+                                            "columnOrder": [
+                                                "2faf9afd-d94a-46f4-98e3-b5616cfeefcb",
+                                                "0e4af7cf-54b9-4f1f-aebf-f1ed10a407fa",
+                                                "30200a62-d196-4482-9d9e-ee7b00e9584f"
+                                            ],
+                                            "columns": {
+                                                "0e4af7cf-54b9-4f1f-aebf-f1ed10a407fa": {
+                                                    "dataType": "date",
+                                                    "isBucketed": true,
+                                                    "label": "@timestamp",
+                                                    "operationType": "date_histogram",
+                                                    "params": {
+                                                        "dropPartials": false,
+                                                        "includeEmptyRows": true,
+                                                        "interval": "auto"
+                                                    },
+                                                    "scale": "interval",
+                                                    "sourceField": "@timestamp"
+                                                },
+                                                "2faf9afd-d94a-46f4-98e3-b5616cfeefcb": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Cloud Confidence Level",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "30200a62-d196-4482-9d9e-ee7b00e9584f",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 3
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.ccl"
+                                                },
+                                                "30200a62-d196-4482-9d9e-ee7b00e9584f": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "30200a62-d196-4482-9d9e-ee7b00e9584f"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "dccaa845-4e82-463d-8a14-aff2b913adc8",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "line",
+                                        "showGridlines": false,
+                                        "splitAccessor": "2faf9afd-d94a-46f4-98e3-b5616cfeefcb",
+                                        "xAccessor": "0e4af7cf-54b9-4f1f-aebf-f1ed10a407fa"
+                                    }
+                                ],
+                                "legend": {
+                                    "isVisible": true,
+                                    "position": "right"
+                                },
+                                "preferredSeriesType": "line",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "ef2aec38-64e0-4b75-9a1f-3e576d83f2c6",
+                    "w": 24,
+                    "x": 0,
+                    "y": 75
+                },
+                "panelIndex": "ef2aec38-64e0-4b75-9a1f-3e576d83f2c6",
+                "title": "Trend of Cloud Confidence Level Over Time [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-fcaae3ea-be33-412d-a184-9046db988bee",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "fcaae3ea-be33-412d-a184-9046db988bee": {
+                                            "columnOrder": [
+                                                "e46eb79d-3706-4f06-8ff2-6d6bdae9eaad",
+                                                "73a38911-496a-4314-b6f8-99f279bbfbff"
+                                            ],
+                                            "columns": {
+                                                "73a38911-496a-4314-b6f8-99f279bbfbff": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "e46eb79d-3706-4f06-8ff2-6d6bdae9eaad": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Device",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "73a38911-496a-4314-b6f8-99f279bbfbff",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.device"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "73a38911-496a-4314-b6f8-99f279bbfbff"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "fcaae3ea-be33-412d-a184-9046db988bee",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "bar_stacked",
+                                        "showGridlines": false,
+                                        "xAccessor": "e46eb79d-3706-4f06-8ff2-6d6bdae9eaad"
+                                    }
+                                ],
+                                "legend": {
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "bar_stacked",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "ccb23a39-e78a-412b-b753-202e768e4d73",
+                    "w": 24,
+                    "x": 24,
+                    "y": 75
+                },
+                "panelIndex": "ccb23a39-e78a-412b-b753-202e768e4d73",
+                "title": "Distribution of Alerts by Device [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-7a7d8206-050e-4b6c-8f8d-655b85245f19",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "7a7d8206-050e-4b6c-8f8d-655b85245f19": {
+                                            "columnOrder": [
+                                                "5135fd70-eb30-44c0-8d35-d9f0ae037802",
+                                                "e0646579-02c6-4188-a0b7-b2fb345a4d5e"
+                                            ],
+                                            "columns": {
+                                                "5135fd70-eb30-44c0-8d35-d9f0ae037802": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "File Type",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "e0646579-02c6-4188-a0b7-b2fb345a4d5e",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "file.type"
+                                                },
+                                                "e0646579-02c6-4188-a0b7-b2fb345a4d5e": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "5135fd70-eb30-44c0-8d35-d9f0ae037802",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "e0646579-02c6-4188-a0b7-b2fb345a4d5e",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "7a7d8206-050e-4b6c-8f8d-655b85245f19",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "b2c1ab1d-ee57-45e6-82bf-731e4c93c362",
+                    "w": 24,
+                    "x": 0,
+                    "y": 90
+                },
+                "panelIndex": "b2c1ab1d-ee57-45e6-82bf-731e4c93c362",
+                "title": "Top 10 File Types [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-3f92ad69-7b84-43ff-8966-e83ff035abfd",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "3f92ad69-7b84-43ff-8966-e83ff035abfd": {
+                                            "columnOrder": [
+                                                "347af379-5b52-4edf-8ca6-66747f596dd7",
+                                                "200edf85-e9f0-4571-b72c-b25e1fe41d94"
+                                            ],
+                                            "columns": {
+                                                "200edf85-e9f0-4571-b72c-b25e1fe41d94": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "347af379-5b52-4edf-8ca6-66747f596dd7": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Object Type",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "200edf85-e9f0-4571-b72c-b25e1fe41d94",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.object_type"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "200edf85-e9f0-4571-b72c-b25e1fe41d94"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "3f92ad69-7b84-43ff-8966-e83ff035abfd",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "bar_stacked",
+                                        "showGridlines": false,
+                                        "xAccessor": "347af379-5b52-4edf-8ca6-66747f596dd7"
+                                    }
+                                ],
+                                "legend": {
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "bar_stacked",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "c783721a-f5ab-4cba-82d4-92563ee2a51c",
+                    "w": 24,
+                    "x": 24,
+                    "y": 90
+                },
+                "panelIndex": "c783721a-f5ab-4cba-82d4-92563ee2a51c",
+                "title": "Distribution of Alerts by Object Type [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-3046363d-188c-4c00-a65d-933ded0ca8c6",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "3046363d-188c-4c00-a65d-933ded0ca8c6": {
+                                            "columnOrder": [
+                                                "663c79cc-800c-4a64-beb9-47772ce5cb4f",
+                                                "926dcd4f-38f3-408e-9baf-da3353e4ed1d"
+                                            ],
+                                            "columns": {
+                                                "663c79cc-800c-4a64-beb9-47772ce5cb4f": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Site",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "926dcd4f-38f3-408e-9baf-da3353e4ed1d",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.site"
+                                                },
+                                                "926dcd4f-38f3-408e-9baf-da3353e4ed1d": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "663c79cc-800c-4a64-beb9-47772ce5cb4f",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "926dcd4f-38f3-408e-9baf-da3353e4ed1d",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "3046363d-188c-4c00-a65d-933ded0ca8c6",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "fbb95a46-f399-4ae6-ae61-111578dc6a09",
+                    "w": 24,
+                    "x": 0,
+                    "y": 105
+                },
+                "panelIndex": "fbb95a46-f399-4ae6-ae61-111578dc6a09",
+                "title": "Top 10 Site [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-5b8e028c-4eeb-4a52-897a-ec2be682f7eb",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "5b8e028c-4eeb-4a52-897a-ec2be682f7eb": {
+                                            "columnOrder": [
+                                                "c6d656ab-7629-4743-8e99-b0cc0d266784",
+                                                "be73f919-e14b-4619-bd25-0442ffe70c3c"
+                                            ],
+                                            "columns": {
+                                                "be73f919-e14b-4619-bd25-0442ffe70c3c": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "c6d656ab-7629-4743-8e99-b0cc0d266784": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Alert Traffic Type",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "be73f919-e14b-4619-bd25-0442ffe70c3c",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "netskope.alert_v2.traffic_type"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "5b8e028c-4eeb-4a52-897a-ec2be682f7eb",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "be73f919-e14b-4619-bd25-0442ffe70c3c"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "c6d656ab-7629-4743-8e99-b0cc0d266784"
+                                        ]
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "5175ac27-9f93-4760-ba28-1d228cf224b8",
+                    "w": 24,
+                    "x": 24,
+                    "y": 105
+                },
+                "panelIndex": "5175ac27-9f93-4760-ba28-1d228cf224b8",
+                "title": "Distribution of Alerts by Traffic Type [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-856e69a4-374c-4021-867c-5bdc200183bb",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "856e69a4-374c-4021-867c-5bdc200183bb": {
+                                            "columnOrder": [
+                                                "ab1897ed-c26a-4935-afa2-1f1512d73f40",
+                                                "7518f627-c829-4371-bf40-5c05b620e530"
+                                            ],
+                                            "columns": {
+                                                "7518f627-c829-4371-bf40-5c05b620e530": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "ab1897ed-c26a-4935-afa2-1f1512d73f40": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Destination Location",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "7518f627-c829-4371-bf40-5c05b620e530",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "destination.geo.city_name"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "ab1897ed-c26a-4935-afa2-1f1512d73f40",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "7518f627-c829-4371-bf40-5c05b620e530",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "856e69a4-374c-4021-867c-5bdc200183bb",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "cf52245d-d475-4c9f-a28f-d3734fc89d53",
+                    "w": 24,
+                    "x": 24,
+                    "y": 120
+                },
+                "panelIndex": "cf52245d-d475-4c9f-a28f-d3734fc89d53",
+                "title": "Top 10 Destination Location [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-095fdc33-0457-4664-882a-2fdbd99bb709",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "currentIndexPatternId": "logs-*",
+                                    "layers": {
+                                        "095fdc33-0457-4664-882a-2fdbd99bb709": {
+                                            "columnOrder": [
+                                                "b1093994-b6bb-46ee-b7ea-2669c2547ead",
+                                                "82dff8eb-89a6-4214-ac7a-4d6d40fc90c1"
+                                            ],
+                                            "columns": {
+                                                "82dff8eb-89a6-4214-ac7a-4d6d40fc90c1": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "b1093994-b6bb-46ee-b7ea-2669c2547ead": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Source Location",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "82dff8eb-89a6-4214-ac7a-4d6d40fc90c1",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "source.geo.city_name"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "indexPatternId": "logs-*",
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "b1093994-b6bb-46ee-b7ea-2669c2547ead",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "82dff8eb-89a6-4214-ac7a-4d6d40fc90c1",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "095fdc33-0457-4664-882a-2fdbd99bb709",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "00229080-fe04-4484-991f-23349524015e",
+                    "w": 24,
+                    "x": 0,
+                    "y": 120
+                },
+                "panelIndex": "00229080-fe04-4484-991f-23349524015e",
+                "title": "Top 10 Source Location [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-ff039ac1-ca23-4808-88d5-25ecdff7c44f",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "ff039ac1-ca23-4808-88d5-25ecdff7c44f": {
+                                            "columnOrder": [
+                                                "6c38cbc9-db53-46db-a091-b6d920fe026f",
+                                                "42401a3a-90fe-42cc-b3bd-fbf0dada900c"
+                                            ],
+                                            "columns": {
+                                                "42401a3a-90fe-42cc-b3bd-fbf0dada900c": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "6c38cbc9-db53-46db-a091-b6d920fe026f": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Destination Country",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "42401a3a-90fe-42cc-b3bd-fbf0dada900c",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "destination.geo.country_iso_code"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "6c38cbc9-db53-46db-a091-b6d920fe026f"
+                                    },
+                                    {
+                                        "columnId": "42401a3a-90fe-42cc-b3bd-fbf0dada900c",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "ff039ac1-ca23-4808-88d5-25ecdff7c44f",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "ec8d0369-5199-49ee-b8ee-b4fc27d5b335",
+                    "w": 24,
+                    "x": 24,
+                    "y": 135
+                },
+                "panelIndex": "ec8d0369-5199-49ee-b8ee-b4fc27d5b335",
+                "title": "Top 10 Destination Country [Logs Netskope]",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-1783bbc9-f8bb-448c-b3a2-293c86017fa7",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "1783bbc9-f8bb-448c-b3a2-293c86017fa7": {
+                                            "columnOrder": [
+                                                "4a22f024-775a-4a04-bb17-cc756bdb6e5b",
+                                                "b82fbc64-73a4-4fef-acd5-b2b4e66ee068"
+                                            ],
+                                            "columns": {
+                                                "4a22f024-775a-4a04-bb17-cc756bdb6e5b": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Source Country",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "b82fbc64-73a4-4fef-acd5-b2b4e66ee068",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "source.geo.country_iso_code"
+                                                },
+                                                "b82fbc64-73a4-4fef-acd5-b2b4e66ee068": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "4a22f024-775a-4a04-bb17-cc756bdb6e5b",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "b82fbc64-73a4-4fef-acd5-b2b4e66ee068",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "1783bbc9-f8bb-448c-b3a2-293c86017fa7",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "dcdc21b7-2857-412a-9f8d-78d5a9bcd6e8",
+                    "w": 24,
+                    "x": 0,
+                    "y": 135
+                },
+                "panelIndex": "dcdc21b7-2857-412a-9f8d-78d5a9bcd6e8",
+                "title": "Top 10 Source Country [Logs Netskope]",
+                "type": "lens"
+            }
+        ],
+        "timeRestore": false,
+        "title": "[Logs Netskope][Alerts v2] Overview",
+        "version": 1
+    },
+    "coreMigrationVersion": "8.8.0",
+    "created_at": "2025-07-01T04:47:56.791Z",
+    "id": "netskope-eaf804d1-abd2-438b-881d-5e47462f06fc",
+    "managed": false,
+    "references": [
+        {
+            "id": "logs-*",
+            "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ec6a2ab2-e89d-40f7-ab6d-d05565bd2c92:indexpattern-datasource-layer-60439b88-0a1f-47cc-af50-627713c49efb",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "1654ef22-8a05-4043-a2cb-8ba47caa7065:indexpattern-datasource-layer-776fc982-61ab-4920-bb29-5e0a09963409",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "606b2f24-d6d8-4320-99cf-77198461cfd9:indexpattern-datasource-layer-96cffafa-db69-447e-8442-b0184a6e6e88",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "566caf29-6ddc-4b0e-975e-a3405fa3e685:indexpattern-datasource-layer-bef467e4-b44a-420e-814f-e9adbb6a8bda",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "841445d9-0aa7-48ac-af5e-b90460d75eec:indexpattern-datasource-layer-9b77c9ff-c5e8-4898-9f8a-de5e142bb849",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "da78be7c-c9a3-49f5-bdeb-6b5624b1e0b3:indexpattern-datasource-layer-8a5abe5e-0bbc-4178-97a3-cb7e657b0b1a",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "b0d88df6-2d00-4fb8-b99f-a4ecd30e080e:indexpattern-datasource-layer-faca8a77-7726-4af0-9717-56d38ac51cb6",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "f5a3737d-cf0f-4f19-b70a-ae80ed2579a0:indexpattern-datasource-layer-1ab07a13-6691-4ed0-b24f-5118c5e787ae",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "e1f65192-57a7-4441-a28c-4a6327c6b737:indexpattern-datasource-layer-01b362b3-11c8-4d02-b19f-eac404030305",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ef2aec38-64e0-4b75-9a1f-3e576d83f2c6:indexpattern-datasource-layer-dccaa845-4e82-463d-8a14-aff2b913adc8",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ccb23a39-e78a-412b-b753-202e768e4d73:indexpattern-datasource-layer-fcaae3ea-be33-412d-a184-9046db988bee",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "b2c1ab1d-ee57-45e6-82bf-731e4c93c362:indexpattern-datasource-layer-7a7d8206-050e-4b6c-8f8d-655b85245f19",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "c783721a-f5ab-4cba-82d4-92563ee2a51c:indexpattern-datasource-layer-3f92ad69-7b84-43ff-8966-e83ff035abfd",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "fbb95a46-f399-4ae6-ae61-111578dc6a09:indexpattern-datasource-layer-3046363d-188c-4c00-a65d-933ded0ca8c6",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "5175ac27-9f93-4760-ba28-1d228cf224b8:indexpattern-datasource-layer-5b8e028c-4eeb-4a52-897a-ec2be682f7eb",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "cf52245d-d475-4c9f-a28f-d3734fc89d53:indexpattern-datasource-layer-856e69a4-374c-4021-867c-5bdc200183bb",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "00229080-fe04-4484-991f-23349524015e:indexpattern-datasource-layer-095fdc33-0457-4664-882a-2fdbd99bb709",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ec8d0369-5199-49ee-b8ee-b4fc27d5b335:indexpattern-datasource-layer-ff039ac1-ca23-4808-88d5-25ecdff7c44f",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "dcdc21b7-2857-412a-9f8d-78d5a9bcd6e8:indexpattern-datasource-layer-1783bbc9-f8bb-448c-b3a2-293c86017fa7",
+            "type": "index-pattern"
+        },
+        {
+            "id": "netskope-security-solution-default",
+            "name": "tag-ref-security-solution-default",
+            "type": "tag"
+        }
+    ],
+    "type": "dashboard",
+    "typeMigrationVersion": "8.9.0"
+}
\ No newline at end of file
diff --git a/packages/netskope/kibana/tag/netskope-security-solution-default.json b/packages/netskope/kibana/tag/netskope-security-solution-default.json
new file mode 100644
index 00000000000..87edba29593
--- /dev/null
+++ b/packages/netskope/kibana/tag/netskope-security-solution-default.json
@@ -0,0 +1,14 @@
+{
+    "attributes": {
+        "color": "#F583B7",
+        "description": "Tag defined in package-spec",
+        "name": "Security Solution"
+    },
+    "coreMigrationVersion": "8.8.0",
+    "created_at": "2025-06-30T09:29:57.655Z",
+    "id": "netskope-security-solution-default",
+    "managed": false,
+    "references": [],
+    "type": "tag",
+    "typeMigrationVersion": "8.0.0"
+}
\ No newline at end of file
diff --git a/packages/netskope/manifest.yml b/packages/netskope/manifest.yml
index 82d82856523..a13bb6de8e5 100644
--- a/packages/netskope/manifest.yml
+++ b/packages/netskope/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: netskope
 title: "Netskope"
-version: "2.0.0"
+version: "2.1.0"
 description: Collect logs from Netskope with Elastic Agent.
 type: integration
 categories:
@@ -19,6 +19,10 @@ screenshots:
     title: Netskope Event logs screenshot
     size: 600x600
     type: image/png
+  - src: /img/netskope-alerts-v2-screenshot.png
+    title: Netskope Alert v2 logs screenshot
+    size: 600x600
+    type: image/png
 icons:
   - src: /img/netskope-logo.svg
     title: Netskope logo
@@ -69,7 +73,146 @@ policy_templates:
               #    sxSmbIUfc2SGJGCJD4I=
               #    -----END CERTIFICATE-----
         title: Collect Netskope logs via TCP input
-        description: Collecting Netskope logs via TCP input.
+        description: Collect Netskope logs via TCP input.
+      - type: aws-s3
+        title: Collect logs from Netskope using AWS S3 or AWS SQS
+        description: Collect logs from Netskope using AWS S3 or AWS SQS.
+        vars:
+          - name: collect_s3_logs
+            required: true
+            show_user: true
+            title: Collect logs via S3 Bucket
+            description: To collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.
+            type: bool
+            multi: false
+            default: false
+          - name: access_key_id
+            type: password
+            title: Access Key ID
+            multi: false
+            required: false
+            show_user: true
+            description: First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file.
+            secret: true
+          - name: secret_access_key
+            type: password
+            title: Secret Access Key
+            multi: false
+            required: false
+            show_user: true
+            description: Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file.
+            secret: true
+          - name: region
+            type: text
+            title: '[SQS] Region'
+            multi: false
+            required: false
+            show_user: true
+            description: The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value.
+          - name: session_token
+            type: password
+            title: Session Token
+            multi: false
+            required: false
+            show_user: true
+            description: Required when using temporary security credentials.
+            secret: true
+          - name: shared_credential_file
+            type: text
+            title: Shared Credential File
+            multi: false
+            required: false
+            show_user: false
+            description: Directory of the shared credentials file. This parameter is required if we are not providing value for the parameters - secret_access_key and access_key_id.
+          - name: credential_profile_name
+            type: text
+            title: Credential Profile Name
+            multi: false
+            required: false
+            show_user: false
+            description: Profile name in shared credentials file.
+          - name: role_arn
+            type: text
+            title: Role ARN
+            multi: false
+            required: false
+            show_user: false
+            description: AWS IAM Role to assume.
+          - name: default_region
+            type: text
+            title: Default AWS Region
+            multi: false
+            required: false
+            show_user: false
+            default: ""
+            description: >-
+              Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
+          - name: endpoint
+            type: text
+            title: Endpoint
+            multi: false
+            required: false
+            show_user: false
+            description: URL of the entry point for an AWS web service.
+          - name: fips_enabled
+            type: bool
+            title: FIPS Enabled
+            default: false
+            multi: false
+            required: false
+            show_user: false
+            description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            multi: false
+            required: false
+            show_user: false
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+            multi: false
+            required: false
+            show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
+      - type: gcs
+        title: Collect Netskope logs via GCS (Google Cloud Storage)
+        description: Collect data from configured GCS Bucket with Elastic Agent.
+      - type: azure-blob-storage
+        title: Collect Netskope logs via Azure Blob Storage
+        description: Collect data from configured Azure Blob Storage Container with Elastic Agent.
+        vars:
+          - name: oauth2
+            required: true
+            show_user: true
+            title: Collect logs using OAuth2 authentication
+            description: To collect logs using OAuth2 authentication enable the toggle switch. By default, it will collect logs using service account key or URI.
+            type: bool
+            multi: false
+            default: false
 owner:
   github: elastic/security-service-integrations
   type: elastic