Most security alerts ingested through connectors or webhooks do not impact performance.
Alerts up to about 28 MB are ingested without impacting performance. Larger alerts may require special attention.
If the system detects an alert over 28 MB, the platform manages this in a
phased approach. Each phase is only initiated if the previous phase doesn't
resolve the issue. Trimmed alerts display a system notification.
Phased approach for handling large alerts
Stage One: Detect the longest values in every
event field and trim them.
Stage Two: Trim the number of fields in the alert to 100 fields.
Stage Three: Trim the number of events in the alert to 50 events.
Database parameters control these values. For information about
these values, see Service limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-24 UTC."],[[["\u003cp\u003eGoogle SecOps SOAR can handle most security alerts without performance issues, especially those under 8 MB in size.\u003c/p\u003e\n"],["\u003cp\u003eThe system uses a phased approach to manage alerts larger than 8 MB, attempting to resolve size issues in stages.\u003c/p\u003e\n"],["\u003cp\u003eThe phased approach includes trimming the longest values in event fields, reducing the number of fields to 100, and reducing the number of events to 50.\u003c/p\u003e\n"],["\u003cp\u003eDatabase parameters control the size values for trimming, and changes to these parameters require contacting Google Support.\u003c/p\u003e\n"],["\u003cp\u003eTrimmed alerts result in a system notification being displayed.\u003c/p\u003e\n"]]],[],null,[]]
