Handle large alerts

Supported in:

Google secops SOAR

Most security alerts ingested through connectors or webhooks don't impact performance. The system efficiently ingests alerts up to 28 MB. Alerts exceeding this threshold trigger an automatic, phased mitigation process to prevent system overload and ensure processing efficiency.

The platform executes each phase sequentially, only initiating the next if the previous one fails to resolve the size issue. Trimmed alerts display a system notification.

Phased approach for handling large alerts

The following is a breakdown of how to handle large alerts in a phased approach to prevent system overload and ensure efficient processing:

Trim longest values: Detect and shorten the longest string values within every event field.
Trim field count: Reduce the total number of fields in the alert to a maximum of 100 fields.
Trim event count: Reduce the total number of events in the alert to a maximum of 50 events.

Database parameters control these default trim values. For information about these values, see Service limits.

To update parameter values, contact Google Support.

Need more help? Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.