diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/docker-compose.yml b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..0bfa33fa6a1
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,34 @@
+version: "2.3"
+services:
+  azure-blob-storage-emulator:
+    image: mcr.microsoft.com/azure-storage/azurite
+    command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000
+    ports:
+      - "10000/tcp"
+  uploader:
+    image: mcr.microsoft.com/azure-cli
+    depends_on:
+      - azure-blob-storage-emulator
+    volumes:
+      - ./sample_logs:/sample_logs
+    entrypoint: >
+      sh -c "
+        sleep 5 &&
+        export AZURE_STORAGE_CONNECTION_STRING='DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://azure-blob-storage-emulator:10000/devstoreaccount1;' &&
+        az storage container create --name test-container &&
+        az storage blob upload --container-name test-container --file /sample_logs/test-alerts-v2.csv.gz --name test-alerts-v2.csv.gz
+      "
+  gcs-mock-service:
+    image: golang:1.24.7-alpine
+    working_dir: /app
+    volumes:
+      - ./gcs-mock-service:/app
+      - ./files/manifest.yml:/files/manifest.yml:ro
+      - ./sample_logs/:/data
+    ports:
+      - "4443/tcp"
+    healthcheck:
+      test: "wget --no-verbose --tries=1 --spider http://localhost:4443/health || exit 1"
+      interval: 10s
+      timeout: 5s
+    command: go run main.go -manifest /files/manifest.yml
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/files/manifest.yml b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/files/manifest.yml
new file mode 100644
index 00000000000..2492c4f47f2
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/files/manifest.yml
@@ -0,0 +1,5 @@
+buckets:
+  testbucket:
+    files:
+      - path: /data/test-alerts-v2.csv.gz
+        content-type: application/x-gzip
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/go.mod b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/go.mod
new file mode 100644
index 00000000000..df08767f7e8
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/go.mod
@@ -0,0 +1,5 @@
+module gcs-mock-service
+
+go 1.24.7
+
+require gopkg.in/yaml.v3 v3.0.1
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/go.sum b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/go.sum
new file mode 100644
index 00000000000..a62c313c5b0
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/go.sum
@@ -0,0 +1,4 @@
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/main.go b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/main.go
new file mode 100644
index 00000000000..391e75c7efe
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/gcs-mock-service/main.go
@@ -0,0 +1,297 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+func main() {
+	host := flag.String("host", "0.0.0.0", "host to listen on")
+	port := flag.String("port", "4443", "port to listen on")
+	manifest := flag.String("manifest", "", "path to YAML manifest file for preloading buckets and objects")
+	flag.Parse()
+
+	addr := fmt.Sprintf("%s:%s", *host, *port)
+
+	fmt.Printf("Starting mock GCS server on http://%s\n", addr)
+	if *manifest != "" {
+		m, err := readManifest(*manifest)
+		if err != nil {
+			log.Fatalf("error reading manifest: %v", err)
+		}
+		if err := processManifest(m); err != nil {
+			log.Fatalf("error processing manifest: %v", err)
+		}
+	} else {
+		fmt.Println("Store is empty. Create buckets and objects via API calls.")
+	}
+
+	// setup HTTP handlers
+	mux := http.NewServeMux()
+	// health check
+	mux.HandleFunc("/health", healthHandler)
+	// standard gcs api calls
+	mux.HandleFunc("GET /storage/v1/b/{bucket}/o", handleListObjects)
+	mux.HandleFunc("GET /storage/v1/b/{bucket}/o/{object...}", handleGetObject)
+	mux.HandleFunc("POST /storage/v1/b", handleCreateBucket)
+	mux.HandleFunc("POST /upload/storage/v1/b/{bucket}/o", handleUploadObject)
+	mux.HandleFunc("POST /upload/storage/v1/b/{bucket}/o/{object...}", handleUploadObject)
+	// direct path-style gcs sdk calls
+	mux.HandleFunc("GET /{bucket}/o/{object...}", handleGetObject)
+	mux.HandleFunc("GET /{bucket}/{object...}", handleGetObject)
+	// debug: log all requests
+	loggedMux := loggingMiddleware(mux)
+
+	if err := http.ListenAndServe(addr, loggedMux); err != nil {
+		log.Fatalf("failed to start server: %v", err)
+	}
+}
+
+// loggingMiddleware logs incoming HTTP requests.
+func loggingMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Printf("%s %s\n", r.Method, r.URL.Path)
+		next.ServeHTTP(w, r)
+	})
+}
+
+// readManifest reads and parses the YAML manifest file.
+func readManifest(path string) (*Manifest, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read manifest: %w", err)
+	}
+
+	var manifest Manifest
+	if err := yaml.Unmarshal(data, &manifest); err != nil {
+		return nil, fmt.Errorf("failed to parse manifest: %w", err)
+	}
+
+	return &manifest, nil
+}
+
+// processManifest creates buckets and uploads objects as specified in the manifest.
+func processManifest(manifest *Manifest) error {
+	for bucketName, bucket := range manifest.Buckets {
+		for _, file := range bucket.Files {
+			fmt.Printf("preloading data for bucket: %s | path: %s | content-type: %s...\n",
+				bucketName, file.Path, file.ContentType)
+
+			if err := createBucket(bucketName); err != nil {
+				return fmt.Errorf("failed to create bucket '%s': %w", bucketName, err)
+			}
+			data, err := os.ReadFile(file.Path)
+			if err != nil {
+				return fmt.Errorf("failed to read bucket data file '%s': %w", file.Path, err)
+			}
+			pathParts := strings.Split(file.Path, "/")
+			if _, err := uploadObject(bucketName, pathParts[len(pathParts)-1], data, file.ContentType); err != nil {
+				return fmt.Errorf("failed to create object '%s' in bucket '%s': %w", file.Path, bucketName, err)
+			}
+		}
+	}
+	return nil
+}
+
+// healthHandler responds with a simple "OK" message for health checks.
+func healthHandler(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprint(w, "OK")
+}
+
+// handleListObjects lists all objects in the specified bucket.
+func handleListObjects(w http.ResponseWriter, r *http.Request) {
+	bucketName := r.PathValue("bucket")
+
+	if bucket, ok := inMemoryStore[bucketName]; ok {
+		response := GCSListResponse{
+			Kind:  "storage#objects",
+			Items: []GCSObject{},
+		}
+		for name, object := range bucket {
+			item := GCSObject{
+				Kind:        "storage#object",
+				Name:        name,
+				Bucket:      bucketName,
+				Size:        strconv.Itoa(len(object.Data)),
+				ContentType: object.ContentType,
+			}
+			response.Items = append(response.Items, item)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(response)
+		return
+	}
+	http.Error(w, "not found", http.StatusNotFound)
+}
+
+// handleGetObject retrieves a specific object from a bucket.
+func handleGetObject(w http.ResponseWriter, r *http.Request) {
+	bucketName := r.PathValue("bucket")
+	objectName := r.PathValue("object")
+
+	if bucketName == "" || objectName == "" {
+		http.Error(w, "not found: invalid URL format", http.StatusNotFound)
+		return
+	}
+
+	if bucket, ok := inMemoryStore[bucketName]; ok {
+		if object, ok := bucket[objectName]; ok {
+			w.Header().Set("Content-Type", object.ContentType)
+			w.Write(object.Data)
+			return
+		}
+	}
+	http.Error(w, "not found", http.StatusNotFound)
+}
+
+// handleCreateBucket creates a new bucket.
+func handleCreateBucket(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.NotFound(w, r)
+		return
+	}
+
+	var bucketInfo struct {
+		Name string `json:"name"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&bucketInfo); err != nil {
+		http.Error(w, "invalid JSON body", http.StatusBadRequest)
+		return
+	}
+	if bucketInfo.Name == "" {
+		http.Error(w, "bucket name is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := createBucket(bucketInfo.Name); err != nil {
+		http.Error(w, err.Error(), http.StatusConflict)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(bucketInfo)
+}
+
+// handleUploadObject uploads an object to a specified bucket.
+func handleUploadObject(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.NotFound(w, r)
+		return
+	}
+
+	bucketName := r.PathValue("bucket")
+	objectName := r.URL.Query().Get("name")
+	if objectName == "" {
+		objectName = r.PathValue("object")
+	}
+
+	if bucketName == "" || objectName == "" {
+		http.Error(w, "missing bucket or object name", http.StatusBadRequest)
+		return
+	}
+
+	data, err := io.ReadAll(r.Body)
+	if err != nil {
+		http.Error(w, "failed to read request body", http.StatusInternalServerError)
+		return
+	}
+	defer r.Body.Close()
+
+	contentType := r.Header.Get("Content-Type")
+	if contentType == "" {
+		contentType = "application/octet-stream"
+	}
+
+	response, err := uploadObject(bucketName, objectName, data, contentType)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+func createBucket(bucketName string) error {
+	if _, exists := inMemoryStore[bucketName]; exists {
+		return fmt.Errorf("bucket already exists")
+	}
+	inMemoryStore[bucketName] = make(map[string]ObjectData)
+	log.Printf("created bucket: %s", bucketName)
+	return nil
+}
+
+func uploadObject(bucketName, objectName string, data []byte, contentType string) (*GCSObject, error) {
+	if _, ok := inMemoryStore[bucketName]; !ok {
+		return nil, fmt.Errorf("bucket not found")
+	}
+
+	inMemoryStore[bucketName][objectName] = ObjectData{
+		Data:        data,
+		ContentType: contentType,
+	}
+	log.Printf("created object '%s' in bucket '%s' with Content-Type '%s'",
+		objectName, bucketName, contentType)
+
+	return &GCSObject{
+		Kind:        "storage#object",
+		Name:        objectName,
+		Bucket:      bucketName,
+		Size:        strconv.Itoa(len(data)),
+		ContentType: contentType,
+	}, nil
+}
+
+// The in-memory store to hold ObjectData structs.
+var inMemoryStore = make(map[string]map[string]ObjectData)
+
+// ObjectData stores the raw data and its content type.
+type ObjectData struct {
+	Data        []byte
+	ContentType string
+}
+
+// GCSListResponse mimics the structure of a real GCS object list response.
+type GCSListResponse struct {
+	Kind  string      `json:"kind"`
+	Items []GCSObject `json:"items"`
+}
+
+// GCSObject mimics the structure of a GCS object resource with ContentType.
+type GCSObject struct {
+	Kind        string `json:"kind"`
+	Name        string `json:"name"`
+	Bucket      string `json:"bucket"`
+	Size        string `json:"size"`
+	ContentType string `json:"contentType"`
+}
+
+// Manifest represents the top-level structure of the YAML file
+type Manifest struct {
+	Buckets map[string]Bucket `yaml:"buckets"`
+}
+
+// Bucket represents each bucket and its files
+type Bucket struct {
+	Files []File `yaml:"files"`
+}
+
+// File represents each file entry inside a bucket
+type File struct {
+	Path        string `yaml:"path"`
+	ContentType string `yaml:"content-type"`
+}
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/sample_logs/test-alerts-v2.csv.gz b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/sample_logs/test-alerts-v2.csv.gz
new file mode 100644
index 00000000000..1131ae856f8
Binary files /dev/null and b/packages/netskope/data_stream/alerts_v2/_dev/deploy/docker/sample_logs/test-alerts-v2.csv.gz differ
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf
index 973c81fbcff..3c384a9b0ba 100644
--- a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf
@@ -2,21 +2,21 @@ provider "aws" {
   region = "us-east-1"
   default_tags {
     tags = {
-      environment  = var.ENVIRONMENT
-      repo         = var.REPO
-      branch       = var.BRANCH
-      build        = var.BUILD_ID
-      created_date = var.CREATED_DATE
+      aws_environment  = var.ENVIRONMENT
+      aws_repo         = var.REPO
+      aws_branch       = var.BRANCH
+      aws_build        = var.BUILD_ID
+      aws_created_date = var.CREATED_DATE
     }
   }
 }
 
-resource "aws_s3_bucket" "bucket" {
-  bucket = "elastic-package-netskope-alert-v2-bucket-${var.TEST_RUN_ID}"
+resource "aws_s3_bucket" "aws_bucket" {
+  bucket = "elastic-package-netskope-bucket-${var.TEST_RUN_ID}"
 }
 
-resource "aws_sqs_queue" "queue" {
-  name       = "elastic-package-netskope-alert-v2-queue-${var.TEST_RUN_ID}"
+resource "aws_sqs_queue" "aws_queue" {
+  name       = "elastic-package-netskope-queue-${var.TEST_RUN_ID}"
   policy     = <<POLICY
 {
   "Version": "2012-10-17",
@@ -25,9 +25,9 @@ resource "aws_sqs_queue" "queue" {
       "Effect": "Allow",
       "Principal": "*",
       "Action": "sqs:SendMessage",
-      "Resource": "arn:aws:sqs:*:*:elastic-package-netskope-alert-v2-queue-${var.TEST_RUN_ID}",
+      "Resource": "arn:aws:sqs:*:*:elastic-package-netskope-queue-${var.TEST_RUN_ID}",
       "Condition": {
-        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.bucket.arn}" }
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.aws_bucket.arn}" }
       }
     }
   ]
@@ -35,25 +35,25 @@ resource "aws_sqs_queue" "queue" {
 POLICY
 }
 
-resource "aws_s3_bucket_notification" "bucket_notification" {
-  bucket = aws_s3_bucket.bucket.id
+resource "aws_s3_bucket_notification" "aws_bucket_notification" {
+  bucket = aws_s3_bucket.aws_bucket.id
 
   queue {
-    queue_arn = aws_sqs_queue.queue.arn
+    queue_arn = aws_sqs_queue.aws_queue.arn
     events    = ["s3:ObjectCreated:*"]
   }
 }
 
-resource "aws_s3_object" "object" {
-  bucket = aws_s3_bucket.bucket.id
-  key    = "test-alerts-v2.csv.gz"
+resource "aws_s3_object" "aws_object" {
+  bucket = aws_s3_bucket.aws_bucket.id
+  key    = "event.csv.gz"
   content_base64   = base64gzip(file("./files/test-alerts-v2.csv"))
   content_encoding = "gzip"
   content_type     = "text/csv"
 
-  depends_on = [aws_sqs_queue.queue]
+  depends_on = [aws_sqs_queue.aws_queue]
 }
 
-output "queue_url" {
-  value = aws_sqs_queue.queue.url
+output "aws_queue_url" {
+  value = aws_sqs_queue.aws_queue.url
 }
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf
index 32d90dee649..c0b63c08733 100644
--- a/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf
+++ b/packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf
@@ -1,16 +1,20 @@
+variable "TEST_RUN_ID" {
+  default = "detached"
+}
+
 variable "BRANCH" {
   description = "Branch name or pull request for tagging purposes"
-  default     = "unknown-branch"
+  default = "unknown-branch"
 }
 
 variable "BUILD_ID" {
   description = "Build ID in the CI for tagging purposes"
-  default     = "unknown-build"
+  default = "unknown-build"
 }
 
 variable "CREATED_DATE" {
   description = "Creation date in epoch time for tagging purposes"
-  default     = "unknown-date"
+  default = "unknown-date"
 }
 
 variable "ENVIRONMENT" {
@@ -18,9 +22,5 @@ variable "ENVIRONMENT" {
 }
 
 variable "REPO" {
-  default = "unknown-repo-name"
-}
-
-variable "TEST_RUN_ID" {
-  default = "detached"
+  default = "unknown-repo"
 }
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-default-config.yml b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-aws-s3-config.yml
similarity index 82%
rename from packages/netskope/data_stream/alerts_v2/_dev/test/system/test-default-config.yml
rename to packages/netskope/data_stream/alerts_v2/_dev/test/system/test-aws-s3-config.yml
index a28d767c0f2..554280ba8d1 100644
--- a/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-default-config.yml
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-aws-s3-config.yml
@@ -1,3 +1,4 @@
+deployer: tf
 input: aws-s3
 wait_for_data_timeout: 20m
 vars:
@@ -6,7 +7,7 @@ vars:
   session_token: "{{AWS_SESSION_TOKEN}}"
 data_stream:
   vars:
-    queue_url: "{{TF_OUTPUT_queue_url}}"
+    queue_url: "{{TF_OUTPUT_aws_queue_url}}"
     preserve_original_event: true
     csv_comma: ","
 assert:
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-azure-config.yml b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-azure-config.yml
new file mode 100644
index 00000000000..3ade5024958
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-azure-config.yml
@@ -0,0 +1,17 @@
+deployer: docker
+service: azure-blob-storage-emulator
+input: azure-blob-storage
+vars:
+data_stream:
+  vars:
+    csv_comma: ","
+    account_name: devstoreaccount1
+    service_account_key: "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
+    storage_url: "http://{{Hostname}}:{{Port}}/devstoreaccount1/"
+    containers: |
+      - name: test-container
+        max_workers: 3
+        poll: true
+        poll_interval: 15s
+assert:
+  hit_count: 3
diff --git a/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-gcs-config.yml b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-gcs-config.yml
new file mode 100644
index 00000000000..9bf77fb78c4
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_v2/_dev/test/system/test-gcs-config.yml
@@ -0,0 +1,17 @@
+deployer: docker
+service: gcs-mock-service
+input: gcs
+vars:
+data_stream:
+  vars:
+    csv_comma: ","
+    project_id: fake-gcs-project
+    alternative_host: "http://{{Hostname}}:{{Port}}"
+    number_of_workers: 1
+    poll: true
+    poll_interval: 15s
+    service_account_key: "{\"type\":\"service_account\",\"project_id\":\"fake-gcs-project\"}"
+    buckets: |
+      - name: testbucket
+assert:
+  hit_count: 3
diff --git a/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs b/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs
index ace8b345421..52e6c76cc74 100644
--- a/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs
+++ b/packages/netskope/data_stream/alerts_v2/agent/stream/gcs.yml.hbs
@@ -1,6 +1,9 @@
 {{#if project_id}}
 project_id: {{project_id}}
 {{/if}}
+{{#if alternative_host}}
+alternative_host: {{alternative_host}}
+{{/if}}
 {{#if service_account_key}}
 auth.credentials_json.account_key: {{service_account_key}}
 {{/if}}
diff --git a/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml
index 024aee802f2..517aa26b928 100644
--- a/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/netskope/data_stream/alerts_v2/elasticsearch/ingest_pipeline/default.yml
@@ -65,6 +65,12 @@ processors:
       tag: set_event_id_from_alert_v2__id
       copy_from: netskope.alert_v2._id
       ignore_empty_value: true
+  - fingerprint:
+      fields:
+        - netskope.alert_v2._id
+      tag: fingerprint__id
+      target_field: _id
+      ignore_missing: true
   - convert:
       field: netskope.alert_v2.acked
       tag: convert_acked_to_boolean
diff --git a/packages/netskope/data_stream/alerts_v2/fields/beats.yml b/packages/netskope/data_stream/alerts_v2/fields/beats.yml
index d9b1cd412fa..09041def28c 100644
--- a/packages/netskope/data_stream/alerts_v2/fields/beats.yml
+++ b/packages/netskope/data_stream/alerts_v2/fields/beats.yml
@@ -22,3 +22,57 @@
         - name: key
           type: keyword
           description: The AWS S3 Object key.
+- name: gcs.storage
+  type: group
+  fields:
+    - name: bucket.name
+      type: keyword
+      description: The name of the Google Cloud Storage Bucket.
+    - name: object.json_data
+      type: keyword
+      description: When parse_json is true, the resulting JSON data is stored in this field.
+    - name: object.name
+      type: keyword
+      description: The content type of the Google Cloud Storage object.
+    - name: object.content_type
+      type: keyword
+      description: The content type of the Google Cloud Storage object.
+- name: azure
+  type: group
+  fields:
+    - name: resource
+      type: group
+      fields:
+        - name: group
+          type: keyword
+          description: Resource group.
+        - name: id
+          type: keyword
+          description: Resource ID.
+        - name: name
+          type: keyword
+          description: Name.
+        - name: provider
+          type: keyword
+          description: Resource type/namespace.
+    - name: storage
+      type: group
+      fields:
+        - name: blob
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The content type of the Azure Blob Storage blob object.
+            - name: name
+              type: keyword
+              description: The name of the Azure Blob Storage blob object.
+        - name: container
+          type: group
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the Azure Blob Storage container.
+    - name: subscription_id
+      type: keyword
+      description: Azure subscription ID.
diff --git a/packages/netskope/data_stream/alerts_v2/manifest.yml b/packages/netskope/data_stream/alerts_v2/manifest.yml
index d4894d40810..2eeeea5c9b5 100644
--- a/packages/netskope/data_stream/alerts_v2/manifest.yml
+++ b/packages/netskope/data_stream/alerts_v2/manifest.yml
@@ -369,6 +369,13 @@ streams:
         show_user: false
         default: " "
         description: The field separator character used by the CSV format.
+      - name: alternative_host
+        type: text
+        title: Alternative Host
+        description: Used to override the default host for the storage client (default is storage.googleapis.com)
+        required: false
+        multi: false
+        show_user: false
       - name: processors
         type: yaml
         title: Processors
diff --git a/packages/netskope/data_stream/alerts_v2/sample_event.json b/packages/netskope/data_stream/alerts_v2/sample_event.json
index 77d560ca0be..d884f2faf82 100644
--- a/packages/netskope/data_stream/alerts_v2/sample_event.json
+++ b/packages/netskope/data_stream/alerts_v2/sample_event.json
@@ -1,29 +1,18 @@
 {
     "@timestamp": "2025-05-13T11:02:02.000Z",
     "agent": {
-        "ephemeral_id": "1caa7082-bf2e-4fc9-bdac-3673d20f986f",
-        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
-        "name": "elastic-agent-55769",
+        "ephemeral_id": "a72b72ab-a3da-42ca-98fa-61359fb7eee5",
+        "id": "b5a8117b-a8b6-4c10-9851-c2e78f0811dc",
+        "name": "elastic-agent-77576",
         "type": "filebeat",
         "version": "8.17.8"
     },
-    "aws": {
-        "s3": {
-            "bucket": {
-                "arn": "arn:aws:s3:::elastic-package-netskope-alert-v2-bucket-59128",
-                "name": "elastic-package-netskope-alert-v2-bucket-59128"
-            },
-            "object": {
-                "key": "test-alerts-v2.csv.gz"
-            }
-        }
-    },
     "cloud": {
-        "region": "us-east-1"
+        "provider": "google cloud"
     },
     "data_stream": {
         "dataset": "netskope.alerts_v2",
-        "namespace": "89449",
+        "namespace": "56172",
         "type": "logs"
     },
     "destination": {
@@ -38,10 +27,10 @@
         "port": 443
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
+        "id": "b5a8117b-a8b6-4c10-9851-c2e78f0811dc",
         "snapshot": false,
         "version": "8.17.8"
     },
@@ -50,9 +39,19 @@
         "agent_id_status": "verified",
         "dataset": "netskope.alerts_v2",
         "id": "eb8fc9903c2fbb6aa05537ff",
-        "ingested": "2025-07-17T11:04:37Z",
-        "kind": "alert",
-        "original": "{\"_id\":\"eb8fc9903c2fbb6aa05537ff\",\"access_method\":\"Client\",\"account_id\":\"-\",\"account_name\":\"-\",\"acked\":\"false\",\"act_user\":\"-\",\"acting_user\":\"-\",\"action\":\"alert\",\"activity\":\"Edit\",\"alert\":\"yes\",\"alert_id\":\"-\",\"alert_name\":\"Web Access Allow\",\"alert_source\":\"-\",\"alert_type\":\"policy\",\"app\":\"Amazon Systems Manager\",\"app-gdpr-level\":\"-\",\"app_session_id\":\"2241753685910532990\",\"appact\":\"-\",\"appcategory\":\"IT Service/Application Management\",\"appsuite\":\"Amazon\",\"assignee\":\"-\",\"audit_type\":\"-\",\"bcc\":\"-\",\"breach_date\":\"-\",\"breach_id\":\"-\",\"breach_score\":\"-\",\"browser\":\"Native\",\"browser_session_id\":\"4940241048203471891\",\"cc\":\"-\",\"cci\":\"92\",\"ccl\":\"excellent\",\"client_bytes\":\"-\",\"client_packets\":\"-\",\"cloud_provider\":\"-\",\"computer_name\":\"-\",\"conn_duration\":\"-\",\"conn_endtime\":\"-\",\"conn_starttime\":\"-\",\"connection_id\":\"2631086121425559188\",\"connection_type\":\"-\",\"custom_attr\":\"-\",\"destination_file_directory\":\"-\",\"destination_file_name\":\"-\",\"destination_file_path\":\"-\",\"detection_engine\":\"-\",\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"device_sn\":\"-\",\"device_type\":\"-\",\"dinsid\":\"-\",\"dlp_file\":\"-\",\"dlp_fingerprint_classification\":\"-\",\"dlp_fingerprint_match\":\"-\",\"dlp_fingerprint_score\":\"-\",\"dlp_incident_id\":\"-\",\"dlp_is_unique_count\":\"-\",\"dlp_match_info\":\"-\",\"dlp_parent_id\":\"-\",\"dlp_profile\":\"-\",\"dlp_profile_name\":\"-\",\"dlp_rule\":\"-\",\"dlp_rule_count\":\"-\",\"dlp_rule_score\":\"-\",\"dlp_rule_severity\":\"-\",\"dlp_unique_count\":\"-\",\"dns_profile\":\"-\",\"domain\":\"ssm.eu-north-1.amazonaws.com\",\"domain_ip\":\"-\",\"driver\":\"-\",\"dst_country\":\"SE\",\"dst_geoip_src\":\"-\",\"dst_latitude\":\"18.0717|59.328699999999998\",\"dst_location\":\"Stockholm\",\"dst_longitude\":\"18.0717|59.328699999999998\",\"dst_region\":\"Stockholm County\",\"dst_timezone\":\"Europe/Stockholm\",\"dst_zipcode\":\"100 04\",\"dsthost\":\"-\",\"dstip\":\"81.2.69.142\",\"dstport\":\"443\",\"eeml\":\"-\",\"email_from_user\":\"-\",\"email_modified\":\"-\",\"email_title\":\"-\",\"email_user\":\"-\",\"encryption_status\":\"-\",\"end_time\":\"-\",\"event_uuid\":\"-\",\"executable_hash\":\"-\",\"executable_signed\":\"-\",\"file_category\":\"-\",\"file_cls_encrypted\":\"-\",\"file_exposure\":\"-\",\"file_id\":\"-\",\"file_md5\":\"-\",\"file_origin\":\"-\",\"file_owner\":\"-\",\"file_path\":\"-\",\"file_pdl\":\"-\",\"file_size\":\"-\",\"file_type\":\"-\",\"filename\":\"-\",\"filepath\":\"-\",\"fllg\":\"-\",\"flpp\":\"-\",\"from_user\":\"-\",\"hostname\":\"Test-IDMHT6TII\",\"iaas_remediated\":\"-\",\"iaas_remediated_by\":\"-\",\"iaas_remediated_on\":\"-\",\"iaas_remediation_action\":\"-\",\"incident_id\":\"5254981775376249392\",\"inline_dlp_match_info\":\"-\",\"instance\":\"-\",\"instance_id\":\"202533540828\",\"instance_name\":\"-\",\"ip_protocol\":\"-\",\"latest_incident_id\":\"-\",\"loc\":\"-\",\"local_md5\":\"-\",\"local_sha1\":\"-\",\"local_sha256\":\"-\",\"local_source_time\":\"-\",\"location\":\"-\",\"mal_id\":\"-\",\"mal_sev\":\"-\",\"mal_type\":\"-\",\"malware_id\":\"-\",\"malware_severity\":\"-\",\"malware_type\":\"-\",\"managed_app\":\"no\",\"managementID\":\"-\",\"md5\":\"-\",\"message_id\":\"-\",\"mime_type\":\"-\",\"modified_date\":\"-\",\"netskope_pop\":\"SE-STO1\",\"network_session_id\":\"-\",\"nsdeviceuid\":\"-\",\"num_users\":\"-\",\"numbytes\":\"-\",\"oauth\":\"-\",\"object\":\"-\",\"object_id\":\"-\",\"object_type\":\"-\",\"org\":\"-\",\"organization_unit\":\"-\",\"os\":\"Windows 11\",\"os_details\":\"-\",\"os_family\":\"Windows\",\"os_user_name\":\"-\",\"os_version\":\"Windows NT 11.0\",\"owner\":\"-\",\"owner_pdl\":\"-\",\"page\":\"ssm.eu-north-1.amazonaws.com\",\"parent_id\":\"-\",\"pid\":\"-\",\"policy\":\"Web Access Allow\",\"policy_action\":\"-\",\"policy_name\":\"-\",\"policy_name_enforced\":\"-\",\"policy_version\":\"-\",\"pop_id\":\"-\",\"port\":\"443\",\"process_cert_subject\":\"-\",\"process_name\":\"-\",\"process_path\":\"-\",\"product_id\":\"-\",\"publisher_cn\":\"-\",\"record_type\":\"alert\",\"redirect_url\":\"-\",\"referer\":\"-\",\"region_id\":\"-\",\"region_name\":\"-\",\"req\":\"-\",\"req_cnt\":\"-\",\"request_id\":\"5254981775376249392\",\"resource_category\":\"-\",\"resource_group\":\"-\",\"resp\":\"-\",\"resp_cnt\":\"-\",\"response_time\":\"-\",\"risk_level_id\":\"-\",\"risk_score\":\"-\",\"sa_profile_name\":\"-\",\"sa_rule_compliance\":\"-\",\"sa_rule_name\":\"-\",\"sa_rule_severity\":\"-\",\"sanctioned_instance\":\"-\",\"sender\":\"-\",\"server_bytes\":\"-\",\"server_packets\":\"-\",\"serverity\":\"-\",\"session_duration\":\"-\",\"session_number_unique\":\"-\",\"severity\":\"-\",\"severity_id\":\"-\",\"severity_level\":\"-\",\"sha256\":\"-\",\"sharedType\":\"-\",\"shared_credential_user\":\"-\",\"shared_domains\":\"-\",\"shared_with\":\"-\",\"site\":\"Amazon Systems Manager\",\"smtp_status\":\"-\",\"smtp_to\":\"-\",\"spet\":\"-\",\"spst\":\"-\",\"src_country\":\"SE\",\"src_geoip_src\":\"-\",\"src_latitude\":\"18.0717|59.328699999999998\",\"src_location\":\"Stockholm\",\"src_longitude\":\"18.0717|59.328699999999998\",\"src_network\":\"-\",\"src_region\":\"Stockholm County\",\"src_timezone\":\"Europe/Stockholm\",\"src_zipcode\":\"100 04\",\"srcip\":\"81.2.69.142\",\"srcport\":\"-\",\"start_time\":\"-\",\"status\":\"-\",\"subject\":\"-\",\"subtype\":\"-\",\"suppression_count\":\"-\",\"tags\":\"-\",\"telemetry_app\":\"-\",\"thr\":\"-\",\"threat_type\":\"-\",\"timestamp\":\"1747134122\",\"to_user\":\"-\",\"total_packets\":\"-\",\"traffic_type\":\"CloudApp\",\"transaction_id\":\"5254981775376249392\",\"tss_license\":\"-\",\"tss_mode\":\"-\",\"tunnel_id\":\"-\",\"tur\":\"-\",\"two_factor_auth\":\"-\",\"type\":\"nspolicy\",\"unc_path\":\"-\",\"ur_normalized\":\"test@gmail.com\",\"url\":\"ssm.eu-north-1.amazonaws.com/\",\"user\":\"test@gmail.com\",\"user_confidence_index\":\"-\",\"user_confidence_level\":\"-\",\"user_id\":\"-\",\"useragent\":\"aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0\",\"usergroup\":\"-\",\"userip\":\"81.2.69.142\",\"userkey\":\"test@gmail.com\",\"vendor_id\":\"-\",\"violation\":\"-\",\"watchlist_name\":\"-\",\"web_url\":\"-\"}"
+        "ingested": "2025-09-23T09:58:33Z",
+        "kind": "alert"
+    },
+    "gcs": {
+        "storage": {
+            "bucket": {
+                "name": "testbucket"
+            },
+            "object": {
+                "content_type": "application/x-gzip",
+                "name": "test-alerts-v2.csv.gz"
+            }
+        }
     },
     "host": {
         "domain": "ssm.eu-north-1.amazonaws.com",
@@ -64,13 +63,13 @@
         }
     },
     "input": {
-        "type": "aws-s3"
+        "type": "gcs"
     },
     "log": {
         "file": {
-            "path": "https://elastic-package-netskope-alert-v2-bucket-59128.s3.us-east-1.amazonaws.com/test-alerts-v2.csv.gz"
+            "path": "gs://testbucket/test-alerts-v2.csv.gz"
         },
-        "offset": 4504
+        "offset": 0
     },
     "netskope": {
         "alert_v2": {
@@ -140,8 +139,6 @@
         "ip": "81.2.69.142"
     },
     "tags": [
-        "collect_sqs_logs",
-        "preserve_original_event",
         "forwarded",
         "netskope-alerts"
     ],
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/docker/docker-compose.yml b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..14c77ffc677
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,34 @@
+version: "2.3"
+services:
+  azure-blob-storage-emulator:
+    image: mcr.microsoft.com/azure-storage/azurite
+    command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000
+    ports:
+      - "10000/tcp"
+  uploader:
+    image: mcr.microsoft.com/azure-cli
+    depends_on:
+      - azure-blob-storage-emulator
+    volumes:
+      - ./sample_logs:/sample_logs
+    entrypoint: >
+      sh -c "
+        sleep 5 &&
+        export AZURE_STORAGE_CONNECTION_STRING='DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://azure-blob-storage-emulator:10000/devstoreaccount1;' &&
+        az storage container create --name test-container &&
+        az storage blob upload --container-name test-container --file /sample_logs/events.csv.gz --name events.csv.gz
+      "
+  gcs-mock-service:
+    image: golang:1.24.7-alpine
+    working_dir: /app
+    volumes:
+      - ./gcs-mock-service:/app
+      - ./files/manifest.yml:/files/manifest.yml:ro
+      - ./sample_logs/:/data
+    ports:
+      - "4443/tcp"
+    healthcheck:
+      test: "wget --no-verbose --tries=1 --spider http://localhost:4443/health || exit 1"
+      interval: 10s
+      timeout: 5s
+    command: go run main.go -manifest /files/manifest.yml
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/docker/files/manifest.yml b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/files/manifest.yml
new file mode 100644
index 00000000000..370c9f9c3cb
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/files/manifest.yml
@@ -0,0 +1,5 @@
+buckets:
+  testbucket:
+    files:
+      - path: /data/events.csv.gz
+        content-type: application/x-gzip
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/go.mod b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/go.mod
new file mode 100644
index 00000000000..df08767f7e8
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/go.mod
@@ -0,0 +1,5 @@
+module gcs-mock-service
+
+go 1.24.7
+
+require gopkg.in/yaml.v3 v3.0.1
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/go.sum b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/go.sum
new file mode 100644
index 00000000000..a62c313c5b0
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/go.sum
@@ -0,0 +1,4 @@
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/main.go b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/main.go
new file mode 100644
index 00000000000..391e75c7efe
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/gcs-mock-service/main.go
@@ -0,0 +1,297 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+func main() {
+	host := flag.String("host", "0.0.0.0", "host to listen on")
+	port := flag.String("port", "4443", "port to listen on")
+	manifest := flag.String("manifest", "", "path to YAML manifest file for preloading buckets and objects")
+	flag.Parse()
+
+	addr := fmt.Sprintf("%s:%s", *host, *port)
+
+	fmt.Printf("Starting mock GCS server on http://%s\n", addr)
+	if *manifest != "" {
+		m, err := readManifest(*manifest)
+		if err != nil {
+			log.Fatalf("error reading manifest: %v", err)
+		}
+		if err := processManifest(m); err != nil {
+			log.Fatalf("error processing manifest: %v", err)
+		}
+	} else {
+		fmt.Println("Store is empty. Create buckets and objects via API calls.")
+	}
+
+	// setup HTTP handlers
+	mux := http.NewServeMux()
+	// health check
+	mux.HandleFunc("/health", healthHandler)
+	// standard gcs api calls
+	mux.HandleFunc("GET /storage/v1/b/{bucket}/o", handleListObjects)
+	mux.HandleFunc("GET /storage/v1/b/{bucket}/o/{object...}", handleGetObject)
+	mux.HandleFunc("POST /storage/v1/b", handleCreateBucket)
+	mux.HandleFunc("POST /upload/storage/v1/b/{bucket}/o", handleUploadObject)
+	mux.HandleFunc("POST /upload/storage/v1/b/{bucket}/o/{object...}", handleUploadObject)
+	// direct path-style gcs sdk calls
+	mux.HandleFunc("GET /{bucket}/o/{object...}", handleGetObject)
+	mux.HandleFunc("GET /{bucket}/{object...}", handleGetObject)
+	// debug: log all requests
+	loggedMux := loggingMiddleware(mux)
+
+	if err := http.ListenAndServe(addr, loggedMux); err != nil {
+		log.Fatalf("failed to start server: %v", err)
+	}
+}
+
+// loggingMiddleware logs incoming HTTP requests.
+func loggingMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Printf("%s %s\n", r.Method, r.URL.Path)
+		next.ServeHTTP(w, r)
+	})
+}
+
+// readManifest reads and parses the YAML manifest file.
+func readManifest(path string) (*Manifest, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read manifest: %w", err)
+	}
+
+	var manifest Manifest
+	if err := yaml.Unmarshal(data, &manifest); err != nil {
+		return nil, fmt.Errorf("failed to parse manifest: %w", err)
+	}
+
+	return &manifest, nil
+}
+
+// processManifest creates buckets and uploads objects as specified in the manifest.
+func processManifest(manifest *Manifest) error {
+	for bucketName, bucket := range manifest.Buckets {
+		for _, file := range bucket.Files {
+			fmt.Printf("preloading data for bucket: %s | path: %s | content-type: %s...\n",
+				bucketName, file.Path, file.ContentType)
+
+			if err := createBucket(bucketName); err != nil {
+				return fmt.Errorf("failed to create bucket '%s': %w", bucketName, err)
+			}
+			data, err := os.ReadFile(file.Path)
+			if err != nil {
+				return fmt.Errorf("failed to read bucket data file '%s': %w", file.Path, err)
+			}
+			pathParts := strings.Split(file.Path, "/")
+			if _, err := uploadObject(bucketName, pathParts[len(pathParts)-1], data, file.ContentType); err != nil {
+				return fmt.Errorf("failed to create object '%s' in bucket '%s': %w", file.Path, bucketName, err)
+			}
+		}
+	}
+	return nil
+}
+
+// healthHandler responds with a simple "OK" message for health checks.
+func healthHandler(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprint(w, "OK")
+}
+
+// handleListObjects lists all objects in the specified bucket.
+func handleListObjects(w http.ResponseWriter, r *http.Request) {
+	bucketName := r.PathValue("bucket")
+
+	if bucket, ok := inMemoryStore[bucketName]; ok {
+		response := GCSListResponse{
+			Kind:  "storage#objects",
+			Items: []GCSObject{},
+		}
+		for name, object := range bucket {
+			item := GCSObject{
+				Kind:        "storage#object",
+				Name:        name,
+				Bucket:      bucketName,
+				Size:        strconv.Itoa(len(object.Data)),
+				ContentType: object.ContentType,
+			}
+			response.Items = append(response.Items, item)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(response)
+		return
+	}
+	http.Error(w, "not found", http.StatusNotFound)
+}
+
+// handleGetObject retrieves a specific object from a bucket.
+func handleGetObject(w http.ResponseWriter, r *http.Request) {
+	bucketName := r.PathValue("bucket")
+	objectName := r.PathValue("object")
+
+	if bucketName == "" || objectName == "" {
+		http.Error(w, "not found: invalid URL format", http.StatusNotFound)
+		return
+	}
+
+	if bucket, ok := inMemoryStore[bucketName]; ok {
+		if object, ok := bucket[objectName]; ok {
+			w.Header().Set("Content-Type", object.ContentType)
+			w.Write(object.Data)
+			return
+		}
+	}
+	http.Error(w, "not found", http.StatusNotFound)
+}
+
+// handleCreateBucket creates a new bucket.
+func handleCreateBucket(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.NotFound(w, r)
+		return
+	}
+
+	var bucketInfo struct {
+		Name string `json:"name"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&bucketInfo); err != nil {
+		http.Error(w, "invalid JSON body", http.StatusBadRequest)
+		return
+	}
+	if bucketInfo.Name == "" {
+		http.Error(w, "bucket name is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := createBucket(bucketInfo.Name); err != nil {
+		http.Error(w, err.Error(), http.StatusConflict)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(bucketInfo)
+}
+
+// handleUploadObject uploads an object to a specified bucket.
+func handleUploadObject(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.NotFound(w, r)
+		return
+	}
+
+	bucketName := r.PathValue("bucket")
+	objectName := r.URL.Query().Get("name")
+	if objectName == "" {
+		objectName = r.PathValue("object")
+	}
+
+	if bucketName == "" || objectName == "" {
+		http.Error(w, "missing bucket or object name", http.StatusBadRequest)
+		return
+	}
+
+	data, err := io.ReadAll(r.Body)
+	if err != nil {
+		http.Error(w, "failed to read request body", http.StatusInternalServerError)
+		return
+	}
+	defer r.Body.Close()
+
+	contentType := r.Header.Get("Content-Type")
+	if contentType == "" {
+		contentType = "application/octet-stream"
+	}
+
+	response, err := uploadObject(bucketName, objectName, data, contentType)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+func createBucket(bucketName string) error {
+	if _, exists := inMemoryStore[bucketName]; exists {
+		return fmt.Errorf("bucket already exists")
+	}
+	inMemoryStore[bucketName] = make(map[string]ObjectData)
+	log.Printf("created bucket: %s", bucketName)
+	return nil
+}
+
+func uploadObject(bucketName, objectName string, data []byte, contentType string) (*GCSObject, error) {
+	if _, ok := inMemoryStore[bucketName]; !ok {
+		return nil, fmt.Errorf("bucket not found")
+	}
+
+	inMemoryStore[bucketName][objectName] = ObjectData{
+		Data:        data,
+		ContentType: contentType,
+	}
+	log.Printf("created object '%s' in bucket '%s' with Content-Type '%s'",
+		objectName, bucketName, contentType)
+
+	return &GCSObject{
+		Kind:        "storage#object",
+		Name:        objectName,
+		Bucket:      bucketName,
+		Size:        strconv.Itoa(len(data)),
+		ContentType: contentType,
+	}, nil
+}
+
+// The in-memory store to hold ObjectData structs.
+var inMemoryStore = make(map[string]map[string]ObjectData)
+
+// ObjectData stores the raw data and its content type.
+type ObjectData struct {
+	Data        []byte
+	ContentType string
+}
+
+// GCSListResponse mimics the structure of a real GCS object list response.
+type GCSListResponse struct {
+	Kind  string      `json:"kind"`
+	Items []GCSObject `json:"items"`
+}
+
+// GCSObject mimics the structure of a GCS object resource with ContentType.
+type GCSObject struct {
+	Kind        string `json:"kind"`
+	Name        string `json:"name"`
+	Bucket      string `json:"bucket"`
+	Size        string `json:"size"`
+	ContentType string `json:"contentType"`
+}
+
+// Manifest represents the top-level structure of the YAML file
+type Manifest struct {
+	Buckets map[string]Bucket `yaml:"buckets"`
+}
+
+// Bucket represents each bucket and its files
+type Bucket struct {
+	Files []File `yaml:"files"`
+}
+
+// File represents each file entry inside a bucket
+type File struct {
+	Path        string `yaml:"path"`
+	ContentType string `yaml:"content-type"`
+}
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/docker/sample_logs/events.csv.gz b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/sample_logs/events.csv.gz
new file mode 100644
index 00000000000..9e796c8db34
Binary files /dev/null and b/packages/netskope/data_stream/events_v2/_dev/deploy/docker/sample_logs/events.csv.gz differ
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/tf/env.yml b/packages/netskope/data_stream/events_v2/_dev/deploy/tf/env.yml
index aee5f1c5900..dcef36e04dc 100644
--- a/packages/netskope/data_stream/events_v2/_dev/deploy/tf/env.yml
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/tf/env.yml
@@ -2,6 +2,10 @@ version: '2.3'
 services:
   terraform:
     environment:
+      - GOOGLE_CLOUD_KEYFILE_JSON=${GOOGLE_CLOUD_KEYFILE_JSON}
+      - GCLOUD_PROJECT=${GCLOUD_PROJECT}
+      - GOOGLE_REGION=${GOOGLE_REGION:-US}
+      - TF_VAR_BUCKET_REGION=${GOOGLE_REGION:-US}
       - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
       - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
       - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/tf/main.tf b/packages/netskope/data_stream/events_v2/_dev/deploy/tf/main.tf
index eb80e941a15..939d1b476ba 100644
--- a/packages/netskope/data_stream/events_v2/_dev/deploy/tf/main.tf
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/tf/main.tf
@@ -2,20 +2,20 @@ provider "aws" {
   region = "us-east-1"
   default_tags {
     tags = {
-      environment  = var.ENVIRONMENT
-      repo         = var.REPO
-      branch       = var.BRANCH
-      build        = var.BUILD_ID
-      created_date = var.CREATED_DATE
+      aws_environment  = var.ENVIRONMENT
+      aws_repo         = var.REPO
+      aws_branch       = var.BRANCH
+      aws_build        = var.BUILD_ID
+      aws_created_date = var.CREATED_DATE
     }
   }
 }
 
-resource "aws_s3_bucket" "bucket" {
+resource "aws_s3_bucket" "aws_bucket" {
   bucket = "elastic-package-netskope-bucket-${var.TEST_RUN_ID}"
 }
 
-resource "aws_sqs_queue" "queue" {
+resource "aws_sqs_queue" "aws_queue" {
   name       = "elastic-package-netskope-queue-${var.TEST_RUN_ID}"
   policy     = <<POLICY
 {
@@ -27,7 +27,7 @@ resource "aws_sqs_queue" "queue" {
       "Action": "sqs:SendMessage",
       "Resource": "arn:aws:sqs:*:*:elastic-package-netskope-queue-${var.TEST_RUN_ID}",
       "Condition": {
-        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.bucket.arn}" }
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.aws_bucket.arn}" }
       }
     }
   ]
@@ -35,25 +35,25 @@ resource "aws_sqs_queue" "queue" {
 POLICY
 }
 
-resource "aws_s3_bucket_notification" "bucket_notification" {
-  bucket = aws_s3_bucket.bucket.id
+resource "aws_s3_bucket_notification" "aws_bucket_notification" {
+  bucket = aws_s3_bucket.aws_bucket.id
 
   queue {
-    queue_arn = aws_sqs_queue.queue.arn
+    queue_arn = aws_sqs_queue.aws_queue.arn
     events    = ["s3:ObjectCreated:*"]
   }
 }
 
-resource "aws_s3_object" "object" {
-  bucket = aws_s3_bucket.bucket.id
-  key    = "events.csv.gz"
+resource "aws_s3_object" "aws_object" {
+  bucket = aws_s3_bucket.aws_bucket.id
+  key    = "event.csv.gz"
   content_base64   = base64gzip(file("./files/events.csv"))
   content_encoding = "gzip"
   content_type     = "text/csv"
 
-  depends_on = [aws_sqs_queue.queue]
+  depends_on = [aws_sqs_queue.aws_queue]
 }
 
-output "queue_url" {
-  value = aws_sqs_queue.queue.url
+output "aws_queue_url" {
+  value = aws_sqs_queue.aws_queue.url
 }
diff --git a/packages/netskope/data_stream/events_v2/_dev/deploy/tf/variables.tf b/packages/netskope/data_stream/events_v2/_dev/deploy/tf/variables.tf
index 32d90dee649..c0b63c08733 100644
--- a/packages/netskope/data_stream/events_v2/_dev/deploy/tf/variables.tf
+++ b/packages/netskope/data_stream/events_v2/_dev/deploy/tf/variables.tf
@@ -1,16 +1,20 @@
+variable "TEST_RUN_ID" {
+  default = "detached"
+}
+
 variable "BRANCH" {
   description = "Branch name or pull request for tagging purposes"
-  default     = "unknown-branch"
+  default = "unknown-branch"
 }
 
 variable "BUILD_ID" {
   description = "Build ID in the CI for tagging purposes"
-  default     = "unknown-build"
+  default = "unknown-build"
 }
 
 variable "CREATED_DATE" {
   description = "Creation date in epoch time for tagging purposes"
-  default     = "unknown-date"
+  default = "unknown-date"
 }
 
 variable "ENVIRONMENT" {
@@ -18,9 +22,5 @@ variable "ENVIRONMENT" {
 }
 
 variable "REPO" {
-  default = "unknown-repo-name"
-}
-
-variable "TEST_RUN_ID" {
-  default = "detached"
+  default = "unknown-repo"
 }
diff --git a/packages/netskope/data_stream/events_v2/_dev/test/system/test-aws-s3-config.yml b/packages/netskope/data_stream/events_v2/_dev/test/system/test-aws-s3-config.yml
index a28d767c0f2..554280ba8d1 100644
--- a/packages/netskope/data_stream/events_v2/_dev/test/system/test-aws-s3-config.yml
+++ b/packages/netskope/data_stream/events_v2/_dev/test/system/test-aws-s3-config.yml
@@ -1,3 +1,4 @@
+deployer: tf
 input: aws-s3
 wait_for_data_timeout: 20m
 vars:
@@ -6,7 +7,7 @@ vars:
   session_token: "{{AWS_SESSION_TOKEN}}"
 data_stream:
   vars:
-    queue_url: "{{TF_OUTPUT_queue_url}}"
+    queue_url: "{{TF_OUTPUT_aws_queue_url}}"
     preserve_original_event: true
     csv_comma: ","
 assert:
diff --git a/packages/netskope/data_stream/events_v2/_dev/test/system/test-azure-config.yml b/packages/netskope/data_stream/events_v2/_dev/test/system/test-azure-config.yml
new file mode 100644
index 00000000000..3ade5024958
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/test/system/test-azure-config.yml
@@ -0,0 +1,17 @@
+deployer: docker
+service: azure-blob-storage-emulator
+input: azure-blob-storage
+vars:
+data_stream:
+  vars:
+    csv_comma: ","
+    account_name: devstoreaccount1
+    service_account_key: "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
+    storage_url: "http://{{Hostname}}:{{Port}}/devstoreaccount1/"
+    containers: |
+      - name: test-container
+        max_workers: 3
+        poll: true
+        poll_interval: 15s
+assert:
+  hit_count: 3
diff --git a/packages/netskope/data_stream/events_v2/_dev/test/system/test-gcs-config.yml b/packages/netskope/data_stream/events_v2/_dev/test/system/test-gcs-config.yml
new file mode 100644
index 00000000000..9bf77fb78c4
--- /dev/null
+++ b/packages/netskope/data_stream/events_v2/_dev/test/system/test-gcs-config.yml
@@ -0,0 +1,17 @@
+deployer: docker
+service: gcs-mock-service
+input: gcs
+vars:
+data_stream:
+  vars:
+    csv_comma: ","
+    project_id: fake-gcs-project
+    alternative_host: "http://{{Hostname}}:{{Port}}"
+    number_of_workers: 1
+    poll: true
+    poll_interval: 15s
+    service_account_key: "{\"type\":\"service_account\",\"project_id\":\"fake-gcs-project\"}"
+    buckets: |
+      - name: testbucket
+assert:
+  hit_count: 3
diff --git a/packages/netskope/data_stream/events_v2/agent/stream/gcs.yml.hbs b/packages/netskope/data_stream/events_v2/agent/stream/gcs.yml.hbs
index 049e81f9b7a..b76d6f10d93 100644
--- a/packages/netskope/data_stream/events_v2/agent/stream/gcs.yml.hbs
+++ b/packages/netskope/data_stream/events_v2/agent/stream/gcs.yml.hbs
@@ -1,6 +1,9 @@
 {{#if project_id}}
 project_id: {{project_id}}
 {{/if}}
+{{#if alternative_host}}
+alternative_host: {{alternative_host}}
+{{/if}}
 {{#if service_account_key}}
 auth.credentials_json.account_key: {{service_account_key}}
 {{/if}}
diff --git a/packages/netskope/data_stream/events_v2/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/events_v2/elasticsearch/ingest_pipeline/default.yml
index 4a2ffb809e5..9ce31f7f87b 100644
--- a/packages/netskope/data_stream/events_v2/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/netskope/data_stream/events_v2/elasticsearch/ingest_pipeline/default.yml
@@ -64,6 +64,12 @@ processors:
       tag: set_event_id_from_events_v2__id
       copy_from: netskope.events_v2._id
       ignore_empty_value: true
+  - fingerprint:
+      fields:
+        - netskope.events_v2._id
+      tag: fingerprint__id
+      target_field: _id
+      ignore_missing: true
   - append:
       field: related.user
       tag: append_events_v2_acting_user_into_related_user
diff --git a/packages/netskope/data_stream/events_v2/fields/beats.yml b/packages/netskope/data_stream/events_v2/fields/beats.yml
index d9b1cd412fa..09041def28c 100644
--- a/packages/netskope/data_stream/events_v2/fields/beats.yml
+++ b/packages/netskope/data_stream/events_v2/fields/beats.yml
@@ -22,3 +22,57 @@
         - name: key
           type: keyword
           description: The AWS S3 Object key.
+- name: gcs.storage
+  type: group
+  fields:
+    - name: bucket.name
+      type: keyword
+      description: The name of the Google Cloud Storage Bucket.
+    - name: object.json_data
+      type: keyword
+      description: When parse_json is true, the resulting JSON data is stored in this field.
+    - name: object.name
+      type: keyword
+      description: The content type of the Google Cloud Storage object.
+    - name: object.content_type
+      type: keyword
+      description: The content type of the Google Cloud Storage object.
+- name: azure
+  type: group
+  fields:
+    - name: resource
+      type: group
+      fields:
+        - name: group
+          type: keyword
+          description: Resource group.
+        - name: id
+          type: keyword
+          description: Resource ID.
+        - name: name
+          type: keyword
+          description: Name.
+        - name: provider
+          type: keyword
+          description: Resource type/namespace.
+    - name: storage
+      type: group
+      fields:
+        - name: blob
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The content type of the Azure Blob Storage blob object.
+            - name: name
+              type: keyword
+              description: The name of the Azure Blob Storage blob object.
+        - name: container
+          type: group
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the Azure Blob Storage container.
+    - name: subscription_id
+      type: keyword
+      description: Azure subscription ID.
diff --git a/packages/netskope/data_stream/events_v2/manifest.yml b/packages/netskope/data_stream/events_v2/manifest.yml
index 4a767e47442..7797dc4e7bb 100644
--- a/packages/netskope/data_stream/events_v2/manifest.yml
+++ b/packages/netskope/data_stream/events_v2/manifest.yml
@@ -110,6 +110,13 @@ streams:
         show_user: false
         default: " "
         description: The field separator character used by the CSV format.
+      - name: alternative_host
+        type: text
+        title: Alternative Host
+        description: Used to override the default host for the storage client (default is storage.googleapis.com)
+        required: false
+        multi: false
+        show_user: false
       - name: preserve_original_event
         required: false
         show_user: true
diff --git a/packages/netskope/data_stream/events_v2/sample_event.json b/packages/netskope/data_stream/events_v2/sample_event.json
index bc799f64440..669648aaac6 100644
--- a/packages/netskope/data_stream/events_v2/sample_event.json
+++ b/packages/netskope/data_stream/events_v2/sample_event.json
@@ -1,32 +1,21 @@
 {
     "@timestamp": "2025-05-13T10:43:50.000Z",
     "agent": {
-        "ephemeral_id": "04b261d7-d51e-485c-aed5-039119a22e80",
-        "id": "e8f06fce-767e-4024-bea3-813ec054f48d",
-        "name": "elastic-agent-69616",
+        "ephemeral_id": "5c0fb0eb-b857-458d-9516-97c8da1880bf",
+        "id": "c8fbd043-b163-4ee2-9287-ef96a5ce1bfe",
+        "name": "elastic-agent-83393",
         "type": "filebeat",
         "version": "8.17.8"
     },
-    "aws": {
-        "s3": {
-            "bucket": {
-                "arn": "arn:aws:s3:::elastic-package-netskope-bucket-91880",
-                "name": "elastic-package-netskope-bucket-91880"
-            },
-            "object": {
-                "key": "events.csv.gz"
-            }
-        }
-    },
     "client": {
         "bytes": 961033
     },
     "cloud": {
-        "region": "us-east-1"
+        "provider": "google cloud"
     },
     "data_stream": {
         "dataset": "netskope.events_v2",
-        "namespace": "42670",
+        "namespace": "33466",
         "type": "logs"
     },
     "destination": {
@@ -41,10 +30,10 @@
         "port": 443
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "e8f06fce-767e-4024-bea3-813ec054f48d",
+        "id": "c8fbd043-b163-4ee2-9287-ef96a5ce1bfe",
         "snapshot": false,
         "version": "8.17.8"
     },
@@ -52,14 +41,24 @@
         "agent_id_status": "verified",
         "dataset": "netskope.events_v2",
         "id": "c96659f7292a31d76576becd",
-        "ingested": "2025-07-18T10:39:59Z",
+        "ingested": "2025-09-23T10:04:36Z",
         "kind": "event",
-        "original": "{\"_id\":\"c96659f7292a31d76576becd\",\"access_method\":\"Client\",\"account_id\":\"-\",\"account_name\":\"-\",\"acked\":\"-\",\"act_user\":\"-\",\"acting_user\":\"-\",\"action\":\"-\",\"activity\":\"-\",\"alert\":\"-\",\"alert_id\":\"-\",\"alert_name\":\"-\",\"alert_source\":\"-\",\"alert_type\":\"-\",\"app\":\"Google Gmail\",\"app-gdpr-level\":\"-\",\"app_session_id\":\"438388819325815355\",\"appact\":\"-\",\"appcategory\":\"Webmail\",\"appsuite\":\"-\",\"assignee\":\"-\",\"audit_type\":\"-\",\"bcc\":\"-\",\"breach_date\":\"-\",\"breach_id\":\"-\",\"breach_score\":\"-\",\"browser\":\"Chrome\",\"browser_session_id\":\"5006467906912901882\",\"cc\":\"-\",\"cci\":\"86\",\"ccl\":\"high\",\"client_bytes\":\"961033\",\"client_packets\":\"-\",\"cloud_provider\":\"-\",\"computer_name\":\"-\",\"conn_duration\":\"986\",\"conn_endtime\":\"1747134016\",\"conn_starttime\":\"1747133030\",\"connection_id\":\"8335488044687090606\",\"connection_type\":\"-\",\"custom_attr\":\"-\",\"destination_file_directory\":\"-\",\"destination_file_name\":\"-\",\"destination_file_path\":\"-\",\"detection_engine\":\"-\",\"device\":\"Windows Device\",\"device_classification\":\"-\",\"device_sn\":\"-\",\"device_type\":\"-\",\"dinsid\":\"-\",\"dlp_file\":\"-\",\"dlp_fingerprint_classification\":\"-\",\"dlp_fingerprint_match\":\"-\",\"dlp_fingerprint_score\":\"-\",\"dlp_incident_id\":\"-\",\"dlp_is_unique_count\":\"-\",\"dlp_match_info\":\"-\",\"dlp_parent_id\":\"-\",\"dlp_profile\":\"-\",\"dlp_profile_name\":\"-\",\"dlp_rule\":\"-\",\"dlp_rule_count\":\"-\",\"dlp_rule_score\":\"-\",\"dlp_rule_severity\":\"-\",\"dlp_unique_count\":\"-\",\"dns_profile\":\"-\",\"domain\":\"mail.google.com\",\"domain_ip\":\"-\",\"driver\":\"-\",\"dst_country\":\"IN\",\"dst_geoip_src\":\"-\",\"dst_latitude\":\"80.278480529785156|13.087898254394531\",\"dst_location\":\"Chennai\",\"dst_longitude\":\"80.278480529785156|13.087898254394531\",\"dst_region\":\"Tamil Nadu\",\"dst_timezone\":\"Asia/Kolkata\",\"dst_zipcode\":\"N/A\",\"dsthost\":\"-\",\"dstip\":\"142.250.77.133\",\"dstport\":\"443\",\"eeml\":\"-\",\"email_from_user\":\"-\",\"email_modified\":\"-\",\"email_title\":\"-\",\"email_user\":\"-\",\"encryption_status\":\"-\",\"end_time\":\"-\",\"event_uuid\":\"-\",\"executable_hash\":\"-\",\"executable_signed\":\"-\",\"file_category\":\"-\",\"file_cls_encrypted\":\"-\",\"file_exposure\":\"-\",\"file_id\":\"-\",\"file_md5\":\"-\",\"file_origin\":\"-\",\"file_owner\":\"-\",\"file_path\":\"-\",\"file_pdl\":\"-\",\"file_size\":\"-\",\"file_type\":\"-\",\"filename\":\"-\",\"filepath\":\"-\",\"fllg\":\"-\",\"flpp\":\"-\",\"from_user\":\"-\",\"hostname\":\"Test\",\"iaas_remediated\":\"-\",\"iaas_remediated_by\":\"-\",\"iaas_remediated_on\":\"-\",\"iaas_remediation_action\":\"-\",\"incident_id\":\"-\",\"inline_dlp_match_info\":\"-\",\"instance\":\"-\",\"instance_id\":\"-\",\"instance_name\":\"-\",\"ip_protocol\":\"-\",\"latest_incident_id\":\"-\",\"loc\":\"-\",\"local_md5\":\"-\",\"local_sha1\":\"-\",\"local_sha256\":\"-\",\"local_source_time\":\"-\",\"location\":\"-\",\"mal_id\":\"-\",\"mal_sev\":\"-\",\"mal_type\":\"-\",\"malware_id\":\"-\",\"malware_severity\":\"-\",\"malware_type\":\"-\",\"managed_app\":\"-\",\"managementID\":\"-\",\"md5\":\"-\",\"message_id\":\"-\",\"mime_type\":\"-\",\"modified_date\":\"-\",\"netskope_pop\":\"IN-MAA2\",\"network_session_id\":\"-\",\"nsdeviceuid\":\"-\",\"num_users\":\"-\",\"numbytes\":\"1348230\",\"oauth\":\"-\",\"object\":\"-\",\"object_id\":\"-\",\"object_type\":\"-\",\"org\":\"-\",\"organization_unit\":\"-\",\"os\":\"Windows 11\",\"os_details\":\"-\",\"os_family\":\"Windows\",\"os_user_name\":\"-\",\"os_version\":\"Windows NT 11.0\",\"owner\":\"-\",\"owner_pdl\":\"-\",\"page\":\"mail.google.com\",\"parent_id\":\"-\",\"pid\":\"-\",\"policy\":\"-\",\"policy_action\":\"-\",\"policy_name\":\"-\",\"policy_name_enforced\":\"-\",\"policy_version\":\"-\",\"pop_id\":\"-\",\"port\":\"-\",\"process_cert_subject\":\"-\",\"process_name\":\"-\",\"process_path\":\"-\",\"product_id\":\"-\",\"publisher_cn\":\"-\",\"record_type\":\"page\",\"redirect_url\":\"-\",\"referer\":\"-\",\"region_id\":\"-\",\"region_name\":\"-\",\"req\":\"-\",\"req_cnt\":\"173\",\"request_id\":\"-\",\"resource_category\":\"-\",\"resource_group\":\"-\",\"resp\":\"-\",\"resp_cnt\":\"173\",\"response_time\":\"-\",\"risk_level_id\":\"-\",\"risk_score\":\"-\",\"sa_profile_name\":\"-\",\"sa_rule_compliance\":\"-\",\"sa_rule_name\":\"-\",\"sa_rule_severity\":\"-\",\"sanctioned_instance\":\"-\",\"sender\":\"-\",\"server_bytes\":\"387197\",\"server_packets\":\"-\",\"serverity\":\"-\",\"session_duration\":\"-\",\"session_number_unique\":\"-\",\"severity\":\"-\",\"severity_id\":\"-\",\"severity_level\":\"-\",\"sha256\":\"-\",\"sharedType\":\"-\",\"shared_credential_user\":\"-\",\"shared_domains\":\"-\",\"shared_with\":\"-\",\"site\":\"Google Gmail\",\"smtp_status\":\"-\",\"smtp_to\":\"-\",\"spet\":\"-\",\"spst\":\"-\",\"src_country\":\"IN\",\"src_geoip_src\":\"-\",\"src_latitude\":\"77.590999999999994|12.975300000000001\",\"src_location\":\"Bengaluru\",\"src_longitude\":\"77.590999999999994|12.975300000000001\",\"src_network\":\"-\",\"src_region\":\"Karnataka\",\"src_timezone\":\"Asia/Kolkata\",\"src_zipcode\":\"562130\",\"srcip\":\"175.16.199.0\",\"srcport\":\"-\",\"start_time\":\"-\",\"status\":\"-\",\"subject\":\"-\",\"subtype\":\"-\",\"suppression_count\":\"-\",\"tags\":\"-\",\"telemetry_app\":\"-\",\"thr\":\"-\",\"threat_type\":\"-\",\"timestamp\":\"1747133030\",\"to_user\":\"-\",\"total_packets\":\"-\",\"traffic_type\":\"CloudApp\",\"transaction_id\":\"-\",\"tss_license\":\"-\",\"tss_mode\":\"-\",\"tunnel_id\":\"-\",\"tur\":\"-\",\"two_factor_auth\":\"-\",\"type\":\"connection\",\"unc_path\":\"-\",\"ur_normalized\":\"test@gmail.com\",\"url\":\"mail.google.com\",\"user\":\"test@gmail.com\",\"user_confidence_index\":\"-\",\"user_confidence_level\":\"-\",\"user_id\":\"-\",\"useragent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\",\"usergroup\":\"-\",\"userip\":\"192.168.1.11\",\"userkey\":\"test@gmail.com\",\"vendor_id\":\"-\",\"violation\":\"-\",\"watchlist_name\":\"-\",\"web_url\":\"-\"}",
         "outcome": "unknown",
         "type": [
             "info"
         ]
     },
+    "gcs": {
+        "storage": {
+            "bucket": {
+                "name": "testbucket"
+            },
+            "object": {
+                "content_type": "application/x-gzip",
+                "name": "events.csv.gz"
+            }
+        }
+    },
     "host": {
         "name": "Test",
         "os": {
@@ -69,13 +68,13 @@
         }
     },
     "input": {
-        "type": "aws-s3"
+        "type": "gcs"
     },
     "log": {
         "file": {
-            "path": "https://elastic-package-netskope-bucket-91880.s3.us-east-1.amazonaws.com/events.csv.gz"
+            "path": "gs://testbucket/events.csv.gz"
         },
-        "offset": 3962
+        "offset": 0
     },
     "netskope": {
         "events_v2": {
@@ -147,8 +146,6 @@
         "ip": "175.16.199.0"
     },
     "tags": [
-        "collect_sqs_logs",
-        "preserve_original_event",
         "forwarded",
         "netskope-event"
     ],
diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md
index a66a9e93569..ae48a9986ae 100644
--- a/packages/netskope/docs/README.md
+++ b/packages/netskope/docs/README.md
@@ -811,11 +811,23 @@ An example event for `alerts` looks as following:
 | aws.s3.bucket.arn | The AWS S3 bucket ARN. | keyword |
 | aws.s3.bucket.name | The AWS S3 bucket name. | keyword |
 | aws.s3.object.key | The AWS S3 Object key. | keyword |
+| azure.resource.group | Resource group. | keyword |
+| azure.resource.id | Resource ID. | keyword |
+| azure.resource.name | Name. | keyword |
+| azure.resource.provider | Resource type/namespace. | keyword |
+| azure.storage.blob.content_type | The content type of the Azure Blob Storage blob object. | keyword |
+| azure.storage.blob.name | The name of the Azure Blob Storage blob object. | keyword |
+| azure.storage.container.name | The name of the Azure Blob Storage container. | keyword |
+| azure.subscription_id | Azure subscription ID. | keyword |
 | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
 | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
 | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| gcs.storage.bucket.name | The name of the Google Cloud Storage Bucket. | keyword |
+| gcs.storage.object.content_type | The content type of the Google Cloud Storage object. | keyword |
+| gcs.storage.object.json_data | When parse_json is true, the resulting JSON data is stored in this field. | keyword |
+| gcs.storage.object.name | The content type of the Google Cloud Storage object. | keyword |
 | input.type | Type of Filebeat input. | keyword |
 | log.offset | Log offset. | long |
 | netskope.alert_v2._id | Unique id - hexadecimal string. | keyword |
@@ -1054,29 +1066,18 @@ An example event for `alerts_v2` looks as following:
 {
     "@timestamp": "2025-05-13T11:02:02.000Z",
     "agent": {
-        "ephemeral_id": "1caa7082-bf2e-4fc9-bdac-3673d20f986f",
-        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
-        "name": "elastic-agent-55769",
+        "ephemeral_id": "a72b72ab-a3da-42ca-98fa-61359fb7eee5",
+        "id": "b5a8117b-a8b6-4c10-9851-c2e78f0811dc",
+        "name": "elastic-agent-77576",
         "type": "filebeat",
         "version": "8.17.8"
     },
-    "aws": {
-        "s3": {
-            "bucket": {
-                "arn": "arn:aws:s3:::elastic-package-netskope-alert-v2-bucket-59128",
-                "name": "elastic-package-netskope-alert-v2-bucket-59128"
-            },
-            "object": {
-                "key": "test-alerts-v2.csv.gz"
-            }
-        }
-    },
     "cloud": {
-        "region": "us-east-1"
+        "provider": "google cloud"
     },
     "data_stream": {
         "dataset": "netskope.alerts_v2",
-        "namespace": "89449",
+        "namespace": "56172",
         "type": "logs"
     },
     "destination": {
@@ -1091,10 +1092,10 @@ An example event for `alerts_v2` looks as following:
         "port": 443
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "d5fe41dd-4f7d-4b58-b383-eb8ba0a48f0c",
+        "id": "b5a8117b-a8b6-4c10-9851-c2e78f0811dc",
         "snapshot": false,
         "version": "8.17.8"
     },
@@ -1103,9 +1104,19 @@ An example event for `alerts_v2` looks as following:
         "agent_id_status": "verified",
         "dataset": "netskope.alerts_v2",
         "id": "eb8fc9903c2fbb6aa05537ff",
-        "ingested": "2025-07-17T11:04:37Z",
-        "kind": "alert",
-        "original": "{\"_id\":\"eb8fc9903c2fbb6aa05537ff\",\"access_method\":\"Client\",\"account_id\":\"-\",\"account_name\":\"-\",\"acked\":\"false\",\"act_user\":\"-\",\"acting_user\":\"-\",\"action\":\"alert\",\"activity\":\"Edit\",\"alert\":\"yes\",\"alert_id\":\"-\",\"alert_name\":\"Web Access Allow\",\"alert_source\":\"-\",\"alert_type\":\"policy\",\"app\":\"Amazon Systems Manager\",\"app-gdpr-level\":\"-\",\"app_session_id\":\"2241753685910532990\",\"appact\":\"-\",\"appcategory\":\"IT Service/Application Management\",\"appsuite\":\"Amazon\",\"assignee\":\"-\",\"audit_type\":\"-\",\"bcc\":\"-\",\"breach_date\":\"-\",\"breach_id\":\"-\",\"breach_score\":\"-\",\"browser\":\"Native\",\"browser_session_id\":\"4940241048203471891\",\"cc\":\"-\",\"cci\":\"92\",\"ccl\":\"excellent\",\"client_bytes\":\"-\",\"client_packets\":\"-\",\"cloud_provider\":\"-\",\"computer_name\":\"-\",\"conn_duration\":\"-\",\"conn_endtime\":\"-\",\"conn_starttime\":\"-\",\"connection_id\":\"2631086121425559188\",\"connection_type\":\"-\",\"custom_attr\":\"-\",\"destination_file_directory\":\"-\",\"destination_file_name\":\"-\",\"destination_file_path\":\"-\",\"detection_engine\":\"-\",\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"device_sn\":\"-\",\"device_type\":\"-\",\"dinsid\":\"-\",\"dlp_file\":\"-\",\"dlp_fingerprint_classification\":\"-\",\"dlp_fingerprint_match\":\"-\",\"dlp_fingerprint_score\":\"-\",\"dlp_incident_id\":\"-\",\"dlp_is_unique_count\":\"-\",\"dlp_match_info\":\"-\",\"dlp_parent_id\":\"-\",\"dlp_profile\":\"-\",\"dlp_profile_name\":\"-\",\"dlp_rule\":\"-\",\"dlp_rule_count\":\"-\",\"dlp_rule_score\":\"-\",\"dlp_rule_severity\":\"-\",\"dlp_unique_count\":\"-\",\"dns_profile\":\"-\",\"domain\":\"ssm.eu-north-1.amazonaws.com\",\"domain_ip\":\"-\",\"driver\":\"-\",\"dst_country\":\"SE\",\"dst_geoip_src\":\"-\",\"dst_latitude\":\"18.0717|59.328699999999998\",\"dst_location\":\"Stockholm\",\"dst_longitude\":\"18.0717|59.328699999999998\",\"dst_region\":\"Stockholm County\",\"dst_timezone\":\"Europe/Stockholm\",\"dst_zipcode\":\"100 04\",\"dsthost\":\"-\",\"dstip\":\"81.2.69.142\",\"dstport\":\"443\",\"eeml\":\"-\",\"email_from_user\":\"-\",\"email_modified\":\"-\",\"email_title\":\"-\",\"email_user\":\"-\",\"encryption_status\":\"-\",\"end_time\":\"-\",\"event_uuid\":\"-\",\"executable_hash\":\"-\",\"executable_signed\":\"-\",\"file_category\":\"-\",\"file_cls_encrypted\":\"-\",\"file_exposure\":\"-\",\"file_id\":\"-\",\"file_md5\":\"-\",\"file_origin\":\"-\",\"file_owner\":\"-\",\"file_path\":\"-\",\"file_pdl\":\"-\",\"file_size\":\"-\",\"file_type\":\"-\",\"filename\":\"-\",\"filepath\":\"-\",\"fllg\":\"-\",\"flpp\":\"-\",\"from_user\":\"-\",\"hostname\":\"Test-IDMHT6TII\",\"iaas_remediated\":\"-\",\"iaas_remediated_by\":\"-\",\"iaas_remediated_on\":\"-\",\"iaas_remediation_action\":\"-\",\"incident_id\":\"5254981775376249392\",\"inline_dlp_match_info\":\"-\",\"instance\":\"-\",\"instance_id\":\"202533540828\",\"instance_name\":\"-\",\"ip_protocol\":\"-\",\"latest_incident_id\":\"-\",\"loc\":\"-\",\"local_md5\":\"-\",\"local_sha1\":\"-\",\"local_sha256\":\"-\",\"local_source_time\":\"-\",\"location\":\"-\",\"mal_id\":\"-\",\"mal_sev\":\"-\",\"mal_type\":\"-\",\"malware_id\":\"-\",\"malware_severity\":\"-\",\"malware_type\":\"-\",\"managed_app\":\"no\",\"managementID\":\"-\",\"md5\":\"-\",\"message_id\":\"-\",\"mime_type\":\"-\",\"modified_date\":\"-\",\"netskope_pop\":\"SE-STO1\",\"network_session_id\":\"-\",\"nsdeviceuid\":\"-\",\"num_users\":\"-\",\"numbytes\":\"-\",\"oauth\":\"-\",\"object\":\"-\",\"object_id\":\"-\",\"object_type\":\"-\",\"org\":\"-\",\"organization_unit\":\"-\",\"os\":\"Windows 11\",\"os_details\":\"-\",\"os_family\":\"Windows\",\"os_user_name\":\"-\",\"os_version\":\"Windows NT 11.0\",\"owner\":\"-\",\"owner_pdl\":\"-\",\"page\":\"ssm.eu-north-1.amazonaws.com\",\"parent_id\":\"-\",\"pid\":\"-\",\"policy\":\"Web Access Allow\",\"policy_action\":\"-\",\"policy_name\":\"-\",\"policy_name_enforced\":\"-\",\"policy_version\":\"-\",\"pop_id\":\"-\",\"port\":\"443\",\"process_cert_subject\":\"-\",\"process_name\":\"-\",\"process_path\":\"-\",\"product_id\":\"-\",\"publisher_cn\":\"-\",\"record_type\":\"alert\",\"redirect_url\":\"-\",\"referer\":\"-\",\"region_id\":\"-\",\"region_name\":\"-\",\"req\":\"-\",\"req_cnt\":\"-\",\"request_id\":\"5254981775376249392\",\"resource_category\":\"-\",\"resource_group\":\"-\",\"resp\":\"-\",\"resp_cnt\":\"-\",\"response_time\":\"-\",\"risk_level_id\":\"-\",\"risk_score\":\"-\",\"sa_profile_name\":\"-\",\"sa_rule_compliance\":\"-\",\"sa_rule_name\":\"-\",\"sa_rule_severity\":\"-\",\"sanctioned_instance\":\"-\",\"sender\":\"-\",\"server_bytes\":\"-\",\"server_packets\":\"-\",\"serverity\":\"-\",\"session_duration\":\"-\",\"session_number_unique\":\"-\",\"severity\":\"-\",\"severity_id\":\"-\",\"severity_level\":\"-\",\"sha256\":\"-\",\"sharedType\":\"-\",\"shared_credential_user\":\"-\",\"shared_domains\":\"-\",\"shared_with\":\"-\",\"site\":\"Amazon Systems Manager\",\"smtp_status\":\"-\",\"smtp_to\":\"-\",\"spet\":\"-\",\"spst\":\"-\",\"src_country\":\"SE\",\"src_geoip_src\":\"-\",\"src_latitude\":\"18.0717|59.328699999999998\",\"src_location\":\"Stockholm\",\"src_longitude\":\"18.0717|59.328699999999998\",\"src_network\":\"-\",\"src_region\":\"Stockholm County\",\"src_timezone\":\"Europe/Stockholm\",\"src_zipcode\":\"100 04\",\"srcip\":\"81.2.69.142\",\"srcport\":\"-\",\"start_time\":\"-\",\"status\":\"-\",\"subject\":\"-\",\"subtype\":\"-\",\"suppression_count\":\"-\",\"tags\":\"-\",\"telemetry_app\":\"-\",\"thr\":\"-\",\"threat_type\":\"-\",\"timestamp\":\"1747134122\",\"to_user\":\"-\",\"total_packets\":\"-\",\"traffic_type\":\"CloudApp\",\"transaction_id\":\"5254981775376249392\",\"tss_license\":\"-\",\"tss_mode\":\"-\",\"tunnel_id\":\"-\",\"tur\":\"-\",\"two_factor_auth\":\"-\",\"type\":\"nspolicy\",\"unc_path\":\"-\",\"ur_normalized\":\"test@gmail.com\",\"url\":\"ssm.eu-north-1.amazonaws.com/\",\"user\":\"test@gmail.com\",\"user_confidence_index\":\"-\",\"user_confidence_level\":\"-\",\"user_id\":\"-\",\"useragent\":\"aws-sdk-go/1.55.5 (go1.23.7; windows; amd64) amazon-ssm-agent/3.3.2299.0\",\"usergroup\":\"-\",\"userip\":\"81.2.69.142\",\"userkey\":\"test@gmail.com\",\"vendor_id\":\"-\",\"violation\":\"-\",\"watchlist_name\":\"-\",\"web_url\":\"-\"}"
+        "ingested": "2025-09-23T09:58:33Z",
+        "kind": "alert"
+    },
+    "gcs": {
+        "storage": {
+            "bucket": {
+                "name": "testbucket"
+            },
+            "object": {
+                "content_type": "application/x-gzip",
+                "name": "test-alerts-v2.csv.gz"
+            }
+        }
     },
     "host": {
         "domain": "ssm.eu-north-1.amazonaws.com",
@@ -1117,13 +1128,13 @@ An example event for `alerts_v2` looks as following:
         }
     },
     "input": {
-        "type": "aws-s3"
+        "type": "gcs"
     },
     "log": {
         "file": {
-            "path": "https://elastic-package-netskope-alert-v2-bucket-59128.s3.us-east-1.amazonaws.com/test-alerts-v2.csv.gz"
+            "path": "gs://testbucket/test-alerts-v2.csv.gz"
         },
-        "offset": 4504
+        "offset": 0
     },
     "netskope": {
         "alert_v2": {
@@ -1193,8 +1204,6 @@ An example event for `alerts_v2` looks as following:
         "ip": "81.2.69.142"
     },
     "tags": [
-        "collect_sqs_logs",
-        "preserve_original_event",
         "forwarded",
         "netskope-alerts"
     ],
@@ -1606,11 +1615,23 @@ An example event for `events` looks as following:
 | aws.s3.bucket.arn | The AWS S3 bucket ARN. | keyword |
 | aws.s3.bucket.name | The AWS S3 bucket name. | keyword |
 | aws.s3.object.key | The AWS S3 Object key. | keyword |
+| azure.resource.group | Resource group. | keyword |
+| azure.resource.id | Resource ID. | keyword |
+| azure.resource.name | Name. | keyword |
+| azure.resource.provider | Resource type/namespace. | keyword |
+| azure.storage.blob.content_type | The content type of the Azure Blob Storage blob object. | keyword |
+| azure.storage.blob.name | The name of the Azure Blob Storage blob object. | keyword |
+| azure.storage.container.name | The name of the Azure Blob Storage container. | keyword |
+| azure.subscription_id | Azure subscription ID. | keyword |
 | data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
 | data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
 | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| gcs.storage.bucket.name | The name of the Google Cloud Storage Bucket. | keyword |
+| gcs.storage.object.content_type | The content type of the Google Cloud Storage object. | keyword |
+| gcs.storage.object.json_data | When parse_json is true, the resulting JSON data is stored in this field. | keyword |
+| gcs.storage.object.name | The content type of the Google Cloud Storage object. | keyword |
 | input.type | Type of Filebeat input. | keyword |
 | log.offset | Log offset. | long |
 | netskope.events_v2._id | Unique id - hexadecimal string. | keyword |
@@ -1787,32 +1808,21 @@ An example event for `events_v2` looks as following:
 {
     "@timestamp": "2025-05-13T10:43:50.000Z",
     "agent": {
-        "ephemeral_id": "04b261d7-d51e-485c-aed5-039119a22e80",
-        "id": "e8f06fce-767e-4024-bea3-813ec054f48d",
-        "name": "elastic-agent-69616",
+        "ephemeral_id": "5c0fb0eb-b857-458d-9516-97c8da1880bf",
+        "id": "c8fbd043-b163-4ee2-9287-ef96a5ce1bfe",
+        "name": "elastic-agent-83393",
         "type": "filebeat",
         "version": "8.17.8"
     },
-    "aws": {
-        "s3": {
-            "bucket": {
-                "arn": "arn:aws:s3:::elastic-package-netskope-bucket-91880",
-                "name": "elastic-package-netskope-bucket-91880"
-            },
-            "object": {
-                "key": "events.csv.gz"
-            }
-        }
-    },
     "client": {
         "bytes": 961033
     },
     "cloud": {
-        "region": "us-east-1"
+        "provider": "google cloud"
     },
     "data_stream": {
         "dataset": "netskope.events_v2",
-        "namespace": "42670",
+        "namespace": "33466",
         "type": "logs"
     },
     "destination": {
@@ -1827,10 +1837,10 @@ An example event for `events_v2` looks as following:
         "port": 443
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "e8f06fce-767e-4024-bea3-813ec054f48d",
+        "id": "c8fbd043-b163-4ee2-9287-ef96a5ce1bfe",
         "snapshot": false,
         "version": "8.17.8"
     },
@@ -1838,14 +1848,24 @@ An example event for `events_v2` looks as following:
         "agent_id_status": "verified",
         "dataset": "netskope.events_v2",
         "id": "c96659f7292a31d76576becd",
-        "ingested": "2025-07-18T10:39:59Z",
+        "ingested": "2025-09-23T10:04:36Z",
         "kind": "event",
-        "original": "{\"_id\":\"c96659f7292a31d76576becd\",\"access_method\":\"Client\",\"account_id\":\"-\",\"account_name\":\"-\",\"acked\":\"-\",\"act_user\":\"-\",\"acting_user\":\"-\",\"action\":\"-\",\"activity\":\"-\",\"alert\":\"-\",\"alert_id\":\"-\",\"alert_name\":\"-\",\"alert_source\":\"-\",\"alert_type\":\"-\",\"app\":\"Google Gmail\",\"app-gdpr-level\":\"-\",\"app_session_id\":\"438388819325815355\",\"appact\":\"-\",\"appcategory\":\"Webmail\",\"appsuite\":\"-\",\"assignee\":\"-\",\"audit_type\":\"-\",\"bcc\":\"-\",\"breach_date\":\"-\",\"breach_id\":\"-\",\"breach_score\":\"-\",\"browser\":\"Chrome\",\"browser_session_id\":\"5006467906912901882\",\"cc\":\"-\",\"cci\":\"86\",\"ccl\":\"high\",\"client_bytes\":\"961033\",\"client_packets\":\"-\",\"cloud_provider\":\"-\",\"computer_name\":\"-\",\"conn_duration\":\"986\",\"conn_endtime\":\"1747134016\",\"conn_starttime\":\"1747133030\",\"connection_id\":\"8335488044687090606\",\"connection_type\":\"-\",\"custom_attr\":\"-\",\"destination_file_directory\":\"-\",\"destination_file_name\":\"-\",\"destination_file_path\":\"-\",\"detection_engine\":\"-\",\"device\":\"Windows Device\",\"device_classification\":\"-\",\"device_sn\":\"-\",\"device_type\":\"-\",\"dinsid\":\"-\",\"dlp_file\":\"-\",\"dlp_fingerprint_classification\":\"-\",\"dlp_fingerprint_match\":\"-\",\"dlp_fingerprint_score\":\"-\",\"dlp_incident_id\":\"-\",\"dlp_is_unique_count\":\"-\",\"dlp_match_info\":\"-\",\"dlp_parent_id\":\"-\",\"dlp_profile\":\"-\",\"dlp_profile_name\":\"-\",\"dlp_rule\":\"-\",\"dlp_rule_count\":\"-\",\"dlp_rule_score\":\"-\",\"dlp_rule_severity\":\"-\",\"dlp_unique_count\":\"-\",\"dns_profile\":\"-\",\"domain\":\"mail.google.com\",\"domain_ip\":\"-\",\"driver\":\"-\",\"dst_country\":\"IN\",\"dst_geoip_src\":\"-\",\"dst_latitude\":\"80.278480529785156|13.087898254394531\",\"dst_location\":\"Chennai\",\"dst_longitude\":\"80.278480529785156|13.087898254394531\",\"dst_region\":\"Tamil Nadu\",\"dst_timezone\":\"Asia/Kolkata\",\"dst_zipcode\":\"N/A\",\"dsthost\":\"-\",\"dstip\":\"142.250.77.133\",\"dstport\":\"443\",\"eeml\":\"-\",\"email_from_user\":\"-\",\"email_modified\":\"-\",\"email_title\":\"-\",\"email_user\":\"-\",\"encryption_status\":\"-\",\"end_time\":\"-\",\"event_uuid\":\"-\",\"executable_hash\":\"-\",\"executable_signed\":\"-\",\"file_category\":\"-\",\"file_cls_encrypted\":\"-\",\"file_exposure\":\"-\",\"file_id\":\"-\",\"file_md5\":\"-\",\"file_origin\":\"-\",\"file_owner\":\"-\",\"file_path\":\"-\",\"file_pdl\":\"-\",\"file_size\":\"-\",\"file_type\":\"-\",\"filename\":\"-\",\"filepath\":\"-\",\"fllg\":\"-\",\"flpp\":\"-\",\"from_user\":\"-\",\"hostname\":\"Test\",\"iaas_remediated\":\"-\",\"iaas_remediated_by\":\"-\",\"iaas_remediated_on\":\"-\",\"iaas_remediation_action\":\"-\",\"incident_id\":\"-\",\"inline_dlp_match_info\":\"-\",\"instance\":\"-\",\"instance_id\":\"-\",\"instance_name\":\"-\",\"ip_protocol\":\"-\",\"latest_incident_id\":\"-\",\"loc\":\"-\",\"local_md5\":\"-\",\"local_sha1\":\"-\",\"local_sha256\":\"-\",\"local_source_time\":\"-\",\"location\":\"-\",\"mal_id\":\"-\",\"mal_sev\":\"-\",\"mal_type\":\"-\",\"malware_id\":\"-\",\"malware_severity\":\"-\",\"malware_type\":\"-\",\"managed_app\":\"-\",\"managementID\":\"-\",\"md5\":\"-\",\"message_id\":\"-\",\"mime_type\":\"-\",\"modified_date\":\"-\",\"netskope_pop\":\"IN-MAA2\",\"network_session_id\":\"-\",\"nsdeviceuid\":\"-\",\"num_users\":\"-\",\"numbytes\":\"1348230\",\"oauth\":\"-\",\"object\":\"-\",\"object_id\":\"-\",\"object_type\":\"-\",\"org\":\"-\",\"organization_unit\":\"-\",\"os\":\"Windows 11\",\"os_details\":\"-\",\"os_family\":\"Windows\",\"os_user_name\":\"-\",\"os_version\":\"Windows NT 11.0\",\"owner\":\"-\",\"owner_pdl\":\"-\",\"page\":\"mail.google.com\",\"parent_id\":\"-\",\"pid\":\"-\",\"policy\":\"-\",\"policy_action\":\"-\",\"policy_name\":\"-\",\"policy_name_enforced\":\"-\",\"policy_version\":\"-\",\"pop_id\":\"-\",\"port\":\"-\",\"process_cert_subject\":\"-\",\"process_name\":\"-\",\"process_path\":\"-\",\"product_id\":\"-\",\"publisher_cn\":\"-\",\"record_type\":\"page\",\"redirect_url\":\"-\",\"referer\":\"-\",\"region_id\":\"-\",\"region_name\":\"-\",\"req\":\"-\",\"req_cnt\":\"173\",\"request_id\":\"-\",\"resource_category\":\"-\",\"resource_group\":\"-\",\"resp\":\"-\",\"resp_cnt\":\"173\",\"response_time\":\"-\",\"risk_level_id\":\"-\",\"risk_score\":\"-\",\"sa_profile_name\":\"-\",\"sa_rule_compliance\":\"-\",\"sa_rule_name\":\"-\",\"sa_rule_severity\":\"-\",\"sanctioned_instance\":\"-\",\"sender\":\"-\",\"server_bytes\":\"387197\",\"server_packets\":\"-\",\"serverity\":\"-\",\"session_duration\":\"-\",\"session_number_unique\":\"-\",\"severity\":\"-\",\"severity_id\":\"-\",\"severity_level\":\"-\",\"sha256\":\"-\",\"sharedType\":\"-\",\"shared_credential_user\":\"-\",\"shared_domains\":\"-\",\"shared_with\":\"-\",\"site\":\"Google Gmail\",\"smtp_status\":\"-\",\"smtp_to\":\"-\",\"spet\":\"-\",\"spst\":\"-\",\"src_country\":\"IN\",\"src_geoip_src\":\"-\",\"src_latitude\":\"77.590999999999994|12.975300000000001\",\"src_location\":\"Bengaluru\",\"src_longitude\":\"77.590999999999994|12.975300000000001\",\"src_network\":\"-\",\"src_region\":\"Karnataka\",\"src_timezone\":\"Asia/Kolkata\",\"src_zipcode\":\"562130\",\"srcip\":\"175.16.199.0\",\"srcport\":\"-\",\"start_time\":\"-\",\"status\":\"-\",\"subject\":\"-\",\"subtype\":\"-\",\"suppression_count\":\"-\",\"tags\":\"-\",\"telemetry_app\":\"-\",\"thr\":\"-\",\"threat_type\":\"-\",\"timestamp\":\"1747133030\",\"to_user\":\"-\",\"total_packets\":\"-\",\"traffic_type\":\"CloudApp\",\"transaction_id\":\"-\",\"tss_license\":\"-\",\"tss_mode\":\"-\",\"tunnel_id\":\"-\",\"tur\":\"-\",\"two_factor_auth\":\"-\",\"type\":\"connection\",\"unc_path\":\"-\",\"ur_normalized\":\"test@gmail.com\",\"url\":\"mail.google.com\",\"user\":\"test@gmail.com\",\"user_confidence_index\":\"-\",\"user_confidence_level\":\"-\",\"user_id\":\"-\",\"useragent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\",\"usergroup\":\"-\",\"userip\":\"192.168.1.11\",\"userkey\":\"test@gmail.com\",\"vendor_id\":\"-\",\"violation\":\"-\",\"watchlist_name\":\"-\",\"web_url\":\"-\"}",
         "outcome": "unknown",
         "type": [
             "info"
         ]
     },
+    "gcs": {
+        "storage": {
+            "bucket": {
+                "name": "testbucket"
+            },
+            "object": {
+                "content_type": "application/x-gzip",
+                "name": "events.csv.gz"
+            }
+        }
+    },
     "host": {
         "name": "Test",
         "os": {
@@ -1855,13 +1875,13 @@ An example event for `events_v2` looks as following:
         }
     },
     "input": {
-        "type": "aws-s3"
+        "type": "gcs"
     },
     "log": {
         "file": {
-            "path": "https://elastic-package-netskope-bucket-91880.s3.us-east-1.amazonaws.com/events.csv.gz"
+            "path": "gs://testbucket/events.csv.gz"
         },
-        "offset": 3962
+        "offset": 0
     },
     "netskope": {
         "events_v2": {
@@ -1933,8 +1953,6 @@ An example event for `events_v2` looks as following:
         "ip": "175.16.199.0"
     },
     "tags": [
-        "collect_sqs_logs",
-        "preserve_original_event",
         "forwarded",
         "netskope-event"
     ],