Most security alerts ingested through connectors or webhooks do not impact performance.
Alerts up to about 8 MB are ingested without causing performance issues. Alerts larger than this require special
attention.
If the system detects an alert over 8 MB, the platform manages this in a
phased approach. Each phase is only initiated if the previous phase doesn't
resolve the issue. Trimmed alerts display a system notification.
Phased approach for handling large alerts
Stage One: Detect the longest values in every
event field and trim them.
Stage Two: Trim the number of fields in the alert to 100 fields.
Stage Three: Trim the number of events in the alert to 50 events.
Database parameters control these values. For information about
these values, see Service limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-06 UTC."],[[["Google SecOps SOAR can handle most security alerts without performance issues, especially those under 8 MB in size."],["The system uses a phased approach to manage alerts larger than 8 MB, attempting to resolve size issues in stages."],["The phased approach includes trimming the longest values in event fields, reducing the number of fields to 100, and reducing the number of events to 50."],["Database parameters control the size values for trimming, and changes to these parameters require contacting Google Support."],["Trimmed alerts result in a system notification being displayed."]]],[]]
