By default, runZero will send up to 25 assets via an email event rule, and up to 10 via a WebHook. Whether the set of assets was cut short is available as query.truncated or report.truncated, depending on whether the event rule was a query rule or a rule reporting results of a task.
Some restriction on number of assets is required because a single task could result in 100,000 assets being found. If the event rule tried to forward all of those via WebHook or email, it would likely fail.
There’s no standard for how much data a WebHook endpoint must accept, and some common services impose tight limits. For example, Slack requires that WebHook text be no more than 40,000 characters. Since notifications to systems like Slack are a key use of event rules, we limit the number of assets to make it unlikely that you will exceed that limit.
To get around the limits on WebHook data, you can use the runZero API. The task ID can be sent via WebHook, and your WebHook endpoint could then call the runZero API to fetch all of the assets seen by that task, using the last_seen_task search keyword.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article