Why am I receiving an "alert_context size bigger than maximum" error in Panther?
Issue
When I receive an alert from a webhook, the alert context displays an error:
""_error"": ""alert_context size is [601786] characters, bigger than maximum of [204800] characters""
Resolution
To resolve this issue:
- Optimize and reduce the amount of information to be output through the
alert_context
field. - Utilize the Panther API to query the events from the alert instead of trying to output all the information through the
alert_context
field. The entire rule match is written in the data lake so you'd be able to extract all the info needed through a Panther API data lake query.
Cause
This issue occurs when there is too much information being passed through the alert_context
.