From d0fa6eaf83f8fe5b0d704d3d851886eeaed879eb Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 29 Jan 2025 15:48:48 -0700
Subject: [PATCH 1/2] New Limit on Bulk Creating Related Events

Used by the UI and API to hint at a user that not every event will be attached to a case. Supports values up to 10,000 (the default limit on the number of documents returned by a single ES search).
---
 salt/soc/defaults.yaml | 1 +
 salt/soc/soc_soc.yaml  | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 97a24ead7..b97ba11e6 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2147,6 +2147,7 @@ soc:
           eventFetchLimit: 500
           relativeTimeValue: 24
           relativeTimeUnit: 30
+          maxBulkEscalateEvents: 100
           mostRecentlyUsedLimit: 5
           ackEnabled: true
           escalateEnabled: true
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index a667d1f7a..ea651cb47 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -496,7 +496,11 @@ soc:
             global: True
             advanced: True
             forcedType: "[]{}"
-        alerts: *appSettings
+        alerts:
+          <<: *appSettings
+          maxBulkEscalateEvents:
+            description: Maximum number of events to escalate in a single bulk escalation.
+            global: True
         cases: *appSettings
         dashboards: *appSettings
         detections:

From 23ebe966e0f73b9d4a41ba3187ef7f2816a29bfa Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 4 Feb 2025 10:33:04 -0700
Subject: [PATCH 2/2] Added Large Values Warning

maxBulkEscalateEvents now has a warning that large values may run into other limits.
---
 salt/soc/soc_soc.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index ea651cb47..8d6bab06b 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -499,7 +499,7 @@ soc:
         alerts:
           <<: *appSettings
           maxBulkEscalateEvents:
-            description: Maximum number of events to escalate in a single bulk escalation.
+            description: Maximum number of events to escalate in a single bulk escalation. Large values may run into other limits.
             global: True
         cases: *appSettings
         dashboards: *appSettings