Why am I receiving an "alert_context size bigger than maximum" error in Panther?

Issue

When I receive an alert from a webhook, the alert context displays an error:

""_error"": ""alert_context size is [601786] characters, bigger than maximum of [204800] characters""

Resolution

To resolve this issue:

• Optimize and reduce the amount of information to be output through the alert_context field.

• Utilize the Panther API to query the events from the alert instead of trying to output all the information through the alert_context field. The entire rule match is written in the data lake so you'd be able to extract all the info needed through a Panther API data lake query.

Cause

This issue occurs when there is too much information being passed through the alert_context.