Most security alerts ingested through connectors or webhooks do not impact performance.
Alerts up to about 8 MB are ingested without causing performance issues. Alerts larger than this require special
attention.
If the system detects an alert over 8 MB, the platform manages this in a
phased approach. Each phase is only initiated if the previous phase doesn't
resolve the issue. Trimmed alerts display a system notification.
Phased approach for handling large alerts
Stage One: Detect the longest values in every
event field and trim them.
Stage Two: Trim the number of fields in the alert to 100 fields.
Stage Three: Trim the number of events in the alert to 50 events.
Database parameters control these values. For information about
these values, see Service limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-01-30 UTC."],[],[]]
