Handle large alerts
Most security alerts that are ingested through connectors or webhooks don't cause any performance degradation.
We have determined that any alert up to a maximum size of around 8MB is ingested without causing performance issues. Alerts larger than this require special attention.
If the system detects an alert over 8MB, the platform deals with this in a phased approach. If the first stage solves the size issue, then there is no need to continue to the second stage, and same too from the second stage to the third stage. Alerts that are trimmed will display a system notification.
- Stage One: Detect values which are the longest in every event field and trim them.
- Stage Two: Trim the number of fields in the alert to 100 fields.
- Stage Three: Trim the number of events in the alert to 50 events.
These values are controlled by database parameters. For full information on the values, see Maximum amounts for ingestion (alerts, entities and relations)
If you want to update parameter values, contact Google support.