Most security alerts ingested through connectors or webhooks do not impact performance.
Alerts up to about 28 MB are ingested without impacting performance. Larger alerts may require special attention.
If the system detects an alert over 28 MB, the platform manages this in a
phased approach. Each phase is only initiated if the previous phase doesn't
resolve the issue. Trimmed alerts display a system notification.
Phased approach for handling large alerts
Stage One: Detect the longest values in every
event field and trim them.
Stage Two: Trim the number of fields in the alert to 100 fields.
Stage Three: Trim the number of events in the alert to 50 events.
Database parameters control these values. For information about
these values, see Service limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["Google SecOps SOAR can handle most security alerts without performance issues, especially those under 8 MB in size."],["The system uses a phased approach to manage alerts larger than 8 MB, attempting to resolve size issues in stages."],["The phased approach includes trimming the longest values in event fields, reducing the number of fields to 100, and reducing the number of events to 50."],["Database parameters control the size values for trimming, and changes to these parameters require contacting Google Support."],["Trimmed alerts result in a system notification being displayed."]]],[]]
