Handle large alerts

Supported in:

Google SecOps SOAR

Most security alerts ingested through connectors or webhooks do not impact performance.

Alerts up to about 8 MB are ingested without causing performance issues. Alerts larger than this require special attention.

If the system detects an alert over 8 MB, the platform manages this in a phased approach. Each phase is only initiated if the previous phase doesn't resolve the issue. Trimmed alerts display a system notification.

Phased approach for handling large alerts

Stage One: Detect the longest values in every event field and trim them.

Stage Two: Trim the number of fields in the alert to 100 fields.

Stage Three: Trim the number of events in the alert to 50 events.

Database parameters control these values. For information about these values, see Service limits.

To update parameter values, contact Google Support.