From 4405d644f07d9905fbba3e39f08e292dd0a385a5 Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Wed, 3 Dec 2025 15:14:46 +0100
Subject: [PATCH 01/10] fix hbs for auditd.yml.hbs

---
 .../data_stream/auditd/agent/stream/auditd.yml.hbs            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
index 62d690ae37e..f9d4d6cfecf 100644
--- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
+++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
@@ -8,11 +8,11 @@ immutable: {{immutable}}
 resolve_ids: {{resolve_ids}}
 failure_mode: {{failure_mode}}
 {{#if session_data}}
-audit_rules: "{{escape_multiline_string "# Session data audit rules
+audit_rules: |
+# Session data audit rules
 -a always,exit -F arch=b64 -S execve,execveat -k exec
 -a always,exit -F arch=b64 -S exit_group
 -a always,exit -F arch=b64 -S setsid
-"}}{{escape_multiline_string audit_rules}}"
 {{else}}
 {{#if audit_rules}}
 audit_rules: {{escape_string audit_rules}}

From 702ddef1955c1a106d5d123147d0cca7272274fc Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Wed, 3 Dec 2025 15:14:52 +0100
Subject: [PATCH 02/10] fix hbs closing tag in gcs.yml.hbs

---
 .../data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs        | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs b/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs
index 3ed73663957..3e7a29d39ed 100644
--- a/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs
+++ b/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs
@@ -46,3 +46,4 @@ publisher_pipeline.disable_host: true
 processors:
 {{processors}}
 {{/if}}
+{{/if}}

From 2e9b0f30fc414f2781e77fb7365e1c48b45b5940 Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Fri, 5 Dec 2025 09:23:49 +0100
Subject: [PATCH 03/10] Revert "fix hbs for auditd.yml.hbs"

This reverts commit 4405d644f07d9905fbba3e39f08e292dd0a385a5.
---
 .../data_stream/auditd/agent/stream/auditd.yml.hbs            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
index f9d4d6cfecf..62d690ae37e 100644
--- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
+++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
@@ -8,11 +8,11 @@ immutable: {{immutable}}
 resolve_ids: {{resolve_ids}}
 failure_mode: {{failure_mode}}
 {{#if session_data}}
-audit_rules: |
-# Session data audit rules
+audit_rules: "{{escape_multiline_string "# Session data audit rules
 -a always,exit -F arch=b64 -S execve,execveat -k exec
 -a always,exit -F arch=b64 -S exit_group
 -a always,exit -F arch=b64 -S setsid
+"}}{{escape_multiline_string audit_rules}}"
 {{else}}
 {{#if audit_rules}}
 audit_rules: {{escape_string audit_rules}}

From 3d4c2368a76e170d8a970bc1c20c52c3fa65a741 Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Fri, 5 Dec 2025 09:36:57 +0100
Subject: [PATCH 04/10] Refactor audit_rules formatting in auditd.yml.hbs for
 hbs compliance

---
 .../data_stream/auditd/agent/stream/auditd.yml.hbs        | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
index 62d690ae37e..993ac47ca4f 100644
--- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
+++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
@@ -8,11 +8,9 @@ immutable: {{immutable}}
 resolve_ids: {{resolve_ids}}
 failure_mode: {{failure_mode}}
 {{#if session_data}}
-audit_rules: "{{escape_multiline_string "# Session data audit rules
--a always,exit -F arch=b64 -S execve,execveat -k exec
--a always,exit -F arch=b64 -S exit_group
--a always,exit -F arch=b64 -S setsid
-"}}{{escape_multiline_string audit_rules}}"
+audit_rules: "{{escape_multiline_string
+  "# Session data audit rules\n-a always,exit -F arch=b64 -S execve,execveat -k exec\n-a always,exit -F arch=b64 -S exit_group\n-a always,exit -F arch=b64 -S setsid\n"
+}}{{escape_multiline_string audit_rules}}"
 {{else}}
 {{#if audit_rules}}
 audit_rules: {{escape_string audit_rules}}

From 4a09c3b05cdb532f21acc242b11095254e2e80ea Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Fri, 5 Dec 2025 12:29:36 +0100
Subject: [PATCH 05/10] Revert "Refactor audit_rules formatting in
 auditd.yml.hbs for hbs compliance"

This reverts commit 3d4c2368a76e170d8a970bc1c20c52c3fa65a741.
---
 .../data_stream/auditd/agent/stream/auditd.yml.hbs        | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
index 993ac47ca4f..62d690ae37e 100644
--- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
+++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
@@ -8,9 +8,11 @@ immutable: {{immutable}}
 resolve_ids: {{resolve_ids}}
 failure_mode: {{failure_mode}}
 {{#if session_data}}
-audit_rules: "{{escape_multiline_string
-  "# Session data audit rules\n-a always,exit -F arch=b64 -S execve,execveat -k exec\n-a always,exit -F arch=b64 -S exit_group\n-a always,exit -F arch=b64 -S setsid\n"
-}}{{escape_multiline_string audit_rules}}"
+audit_rules: "{{escape_multiline_string "# Session data audit rules
+-a always,exit -F arch=b64 -S execve,execveat -k exec
+-a always,exit -F arch=b64 -S exit_group
+-a always,exit -F arch=b64 -S setsid
+"}}{{escape_multiline_string audit_rules}}"
 {{else}}
 {{#if audit_rules}}
 audit_rules: {{escape_string audit_rules}}

From 3b3faa6b6ff2b501b143fee25ffae3f3124b54b8 Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Wed, 10 Dec 2025 15:23:01 +0100
Subject: [PATCH 06/10] fix hbs formatting for audit_rules in auditd.yml.hbs

---
 .../data_stream/auditd/agent/stream/auditd.yml.hbs    | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
index 62d690ae37e..723b694c277 100644
--- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
+++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
@@ -8,11 +8,12 @@ immutable: {{immutable}}
 resolve_ids: {{resolve_ids}}
 failure_mode: {{failure_mode}}
 {{#if session_data}}
-audit_rules: "{{escape_multiline_string "# Session data audit rules
--a always,exit -F arch=b64 -S execve,execveat -k exec
--a always,exit -F arch=b64 -S exit_group
--a always,exit -F arch=b64 -S setsid
-"}}{{escape_multiline_string audit_rules}}"
+audit_rules: |
+  # Session data audit rules
+  -a always,exit -F arch=b64 -S execve,execveat -k exec
+  -a always,exit -F arch=b64 -S exit_group
+  -a always,exit -F arch=b64 -S setsid
+  {{escape_multiline_string audit_rules}}
 {{else}}
 {{#if audit_rules}}
 audit_rules: {{escape_string audit_rules}}

From a92b6a5fbcc51ceb73e5a998cbfdca2cbf18142a Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Thu, 11 Dec 2025 09:36:50 +0100
Subject: [PATCH 07/10] update audit_rules formatting in auditd.yml.hbs

---
 .../data_stream/auditd/agent/stream/auditd.yml.hbs         | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
index 723b694c277..22255852845 100644
--- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
+++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
@@ -8,12 +8,7 @@ immutable: {{immutable}}
 resolve_ids: {{resolve_ids}}
 failure_mode: {{failure_mode}}
 {{#if session_data}}
-audit_rules: |
-  # Session data audit rules
-  -a always,exit -F arch=b64 -S execve,execveat -k exec
-  -a always,exit -F arch=b64 -S exit_group
-  -a always,exit -F arch=b64 -S setsid
-  {{escape_multiline_string audit_rules}}
+audit_rules: "# Session data audit rules\n-a always,exit -F arch=b64 -S execve,execveat -k exec\n-a always,exit -F arch=b64 -S exit_group\n-a always,exit -F arch=b64 -S setsid\n{{escape_multiline_string audit_rules}}"
 {{else}}
 {{#if audit_rules}}
 audit_rules: {{escape_string audit_rules}}

From bb93595fcad93c88ef30f79c0b5f07d66efade64 Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Thu, 11 Dec 2025 10:01:54 +0100
Subject: [PATCH 08/10] Update changelog and manifest for version 3.1.2: fix
 typo in ingest pipeline and bump version netskope

---
 packages/netskope/changelog.yml | 8 ++++++--
 packages/netskope/manifest.yml  | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/packages/netskope/changelog.yml b/packages/netskope/changelog.yml
index 3fedc099c01..f2606dcaa23 100644
--- a/packages/netskope/changelog.yml
+++ b/packages/netskope/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.1.2"
+  changes:
+    - description: Fix typo in the ingest pipeline for alerts_events_v2 data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16230
 - version: "3.1.1"
   changes:
     - description: Added advanced configuration options for setting and overriding content-type of log files.
@@ -12,8 +17,7 @@
 - version: "3.0.0"
   changes:
     - description: >-
-        Add alerts_events_v2 data stream to support fetching alert v2 and event v2 data from a single queue.
-        Users using SQS input should consider disabling alerts_v2 and events_v2 to avoid conflicts, and use the combined data stream instead.
+        Add alerts_events_v2 data stream to support fetching alert v2 and event v2 data from a single queue. Users using SQS input should consider disabling alerts_v2 and events_v2 to avoid conflicts, and use the combined data stream instead.
       type: breaking-change
       link: https://github.com/elastic/integrations/pull/15697
 - version: "2.3.0"
diff --git a/packages/netskope/manifest.yml b/packages/netskope/manifest.yml
index 7722aecb64d..27cee5cc6ac 100644
--- a/packages/netskope/manifest.yml
+++ b/packages/netskope/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: netskope
 title: "Netskope"
-version: "3.1.1"
+version: "3.1.2"
 description: Collect logs from Netskope with Elastic Agent.
 type: integration
 categories:

From 6764b128c626589419620c9f956314e9fd8c24fa Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Thu, 11 Dec 2025 10:04:34 +0100
Subject: [PATCH 09/10] add bugfix at changelog for hbs format in ingest
 pipeline; bump version to 1.19.1 auditd_manager

---
 packages/auditd_manager/changelog.yml | 5 +++++
 packages/auditd_manager/manifest.yml  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml
index b12529ecd58..09a882f76b4 100644
--- a/packages/auditd_manager/changelog.yml
+++ b/packages/auditd_manager/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.19.1"
+  changes:
+    - description: Fix hbs format in the ingest pipeline for auditd data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16230
 - version: "1.19.0"
   changes:
     - description: Update Kibana constraint to 9.0
diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml
index c576d9812fc..11791525a02 100644
--- a/packages/auditd_manager/manifest.yml
+++ b/packages/auditd_manager/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: auditd_manager
 title: "Auditd Manager"
-version: "1.19.0"
+version: "1.19.1"
 description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel."
 type: integration
 categories:

From b17d38d1b50f57806c462b3a36a4c0dd6a724a04 Mon Sep 17 00:00:00 2001
From: Tere <teresa.romero@elastic.co>
Date: Thu, 11 Dec 2025 11:34:57 +0100
Subject: [PATCH 10/10] Add GCS test policies and update GCS stream template
 for Netskope integration

---
 .../test/policy/test-gcs-default.expected     | 42 +++++++++++++++++
 .../_dev/test/policy/test-gcs-default.yml     |  2 +
 .../test/policy/test-gcs-with-tags.expected   | 45 +++++++++++++++++++
 .../_dev/test/policy/test-gcs-with-tags.yml   |  9 ++++
 .../alerts_events_v2/agent/stream/gcs.yml.hbs |  2 +-
 5 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.expected
 create mode 100644 packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.yml
 create mode 100644 packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.expected
 create mode 100644 packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.yml

diff --git a/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.expected b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.expected
new file mode 100644
index 00000000000..df1920f42d4
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.expected
@@ -0,0 +1,42 @@
+inputs:
+    - data_stream:
+        namespace: ep
+      meta:
+        package:
+            name: netskope
+      name: test-gcs-default-netskope
+      streams:
+        - bucket_timeout: 120s
+          buckets:
+            - name: siem_gcs_bucket_1
+            - name: siem_gcs_bucket_2
+          data_stream:
+            dataset: netskope.alerts_events_v2
+          decoding.codec.csv:
+            comma: ' '
+            enabled: true
+          max_workers: 3
+          poll: true
+          poll_interval: 15s
+          project_id: my-project-id
+          publisher_pipeline.disable_host: true
+          tags:
+            - forwarded
+            - netskope-alerts
+      type: gcs
+      use_output: default
+output_permissions:
+    default:
+        _elastic_agent_checks:
+            cluster:
+                - monitor
+        _elastic_agent_monitoring:
+            indices: []
+        uuid-for-permissions-on-related-indices:
+            indices:
+                - names:
+                    - logs-*-*
+                  privileges:
+                    - auto_configure
+                    - create_doc
+secret_references: []
diff --git a/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.yml b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.yml
new file mode 100644
index 00000000000..b8cd0b1abb8
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-default.yml
@@ -0,0 +1,2 @@
+input: gcs
+vars:
\ No newline at end of file
diff --git a/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.expected b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.expected
new file mode 100644
index 00000000000..3bc3ccb4f08
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.expected
@@ -0,0 +1,45 @@
+inputs:
+    - data_stream:
+        namespace: ep
+      meta:
+        package:
+            name: netskope
+      name: test-gcs-with-tags-netskope
+      streams:
+        - bucket_timeout: 120s
+          buckets:
+            - name: siem_gcs_bucket_1
+            - name: siem_gcs_bucket_2
+          data_stream:
+            dataset: netskope.alerts_events_v2
+          decoding.codec.csv:
+            comma: ' '
+            enabled: true
+          max_workers: 3
+          poll: true
+          poll_interval: 15s
+          project_id: my-project-id
+          publisher_pipeline.disable_host: true
+          tags:
+            - preserve_original_event
+            - preserve_duplicate_custom_fields
+            - forwarded
+            - custom_tag_1
+            - custom_tag_2
+      type: gcs
+      use_output: default
+output_permissions:
+    default:
+        _elastic_agent_checks:
+            cluster:
+                - monitor
+        _elastic_agent_monitoring:
+            indices: []
+        uuid-for-permissions-on-related-indices:
+            indices:
+                - names:
+                    - logs-*-*
+                  privileges:
+                    - auto_configure
+                    - create_doc
+secret_references: []
diff --git a/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.yml b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.yml
new file mode 100644
index 00000000000..bfaa14321d2
--- /dev/null
+++ b/packages/netskope/data_stream/alerts_events_v2/_dev/test/policy/test-gcs-with-tags.yml
@@ -0,0 +1,9 @@
+input: gcs
+data_stream:
+  vars:
+    preserve_original_event: true
+    preserve_duplicate_custom_fields: true
+    tags:
+      - forwarded
+      - custom_tag_1
+      - custom_tag_2
\ No newline at end of file
diff --git a/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs b/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs
index 3e7a29d39ed..7b3f0cbf453 100644
--- a/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs
+++ b/packages/netskope/data_stream/alerts_events_v2/agent/stream/gcs.yml.hbs
@@ -39,6 +39,7 @@ tags:
 {{#each tags as |tag|}}
   - {{tag}}
 {{/each}}
+{{/if}}
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
@@ -46,4 +47,3 @@ publisher_pipeline.disable_host: true
 processors:
 {{processors}}
 {{/if}}
-{{/if}}