Solved: Overcoming 20 MB Limitation for Data Archiving in ...

Zorghost · 02-16-2025 05:39 AM

Hello,

I’m looking to implement an automated process using Google SecOps SOAR to retrieve security event data from external SIEM solutions and archive it to a file share. However, the data I need to archive frequently exceeds the 20 MB limit, which poses significant challenges for using playbooks to automate this process.

Are there any alternative approaches or features within SecOps SOAR that could help handle larger data sizes? Or would it be more practical to consider other tools for this use case?

I appreciate any guidance you can provide.

SoarAndy

For large file/object handling you might need to use external tools (e.g. cloud functions) where SOAR would receive the trigger, prepare/triage the overall flow, but then call an external script to actually pull/push the large data object.

View solution in original post

ipninichuck

Could you share how you are currently attempting to move the files. Please include the list of integrations being used and a list of each action used. Also what the final destination of the files is. With this information we might be able to come up with suggestions.

SoarAndy

For large file/object handling you might need to use external tools (e.g. cloud functions) where SOAR would receive the trigger, prepare/triage the overall flow, but then call an external script to actually pull/push the large data object.

Zorghost

Thank you for the reply @SoarAndy . I have one follow up question if you don´t mind:

Is it possible for the trigger for the SOAR playbook to be an external http request ?

SoarAndy

Sure, there is an integration called HTTPv2 (our second integration, not the HTTP 2 protocol lol) that is similar to Postman that an do most types of outbound requests you can configure

For inbound please see WebHooks or API
Andy

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Overcoming 20 MB Limitation for Data Archiving in Google SecOps SOAR