When I receive an alert from a webhook, the alert context displays an error:
""_error"": ""alert_context size is [601786] characters, bigger than maximum of [204800] characters""
To resolve this issue:
Optimize and reduce the amount of information to be output through the alert_context
field.
Utilize the Panther API to query the events from the alert instead of trying to output all the information through the alert_context
field. The entire rule match is written in the data lake so you'd be able to extract all the info needed through a Panther API data lake query.
This issue occurs when there is too much information being passed through the alert_context
.