Skip to main content
Solved

Any Limitations of Using Global Context Value for IOC Enrichment Caching in SecOps SOAR?

  • March 19, 2026
  • 6 replies
  • 81 views
soaruser
Forum|alt.badge.img+3

I’m currently using global context to store enriched IOC data so that when a new case arrives, I can reuse previously enriched results instead of calling enrichment integrations again.

This helps reduce API calls and speeds up investigations.

However, I’m concerned about long-term scalability:

  • Will global context size become a limitation?

  • Can this impact performance over time?
     

P.S. I’m aware that Data Tables can be used for persistence, but I’m intentionally trying to avoid using them in this design.


Thank you :)

Best answer by SoarAndy

You could smuggle some data in. Having the category as the IOC allows you to recall it specifically, and then have the value as a JSON, allowing prescriptive data structure.   


Alternatively, something more scalable (and free) enter this prompt into Gemini to build you a persistent TIP :)

 

nodejs server file, to listen on port 8080 and act as a simple TIP. Allow API calls to store a value againt an IOC, and retrive in a query. Very briefly advise the tech stack, a simple script, and provide a simple tech diagram. IOC storage should be persistant over reboots. Node should listen on any IP, and apply source IP filtering to a CIDR

 

    6 replies

    SoarAndy
    Staff
    Forum|alt.badge.img+12
    • SoarAndy
    • Staff
    • March 23, 2026

    You’re right, it’s not a great idea.


    Two notes about context: i) the key is cached, so if you start to use IOC identifier as the key, it will scale badly.  ii) the system (AFAIK unless it changed) isn’t designed for large volume of data, a verdict should be ok, but e.g. 200KB of HTML structure would be bad. 

     

    Ideally this would be handled by a TIP, a single data table would also be better as you suggested.

    Thanks

    Andy

    soaruser
    Forum|alt.badge.img+3
    • soaruserBronze 1
    • Author
    • Bronze 1
    • March 23, 2026

    Hi ​@SoarAndy 
    Thanks for your response. 
    1. The size of IOC enrichment info would not be bigger than 5KB (Verdict from 2 reputation sites and WHOIS info). 
    I am relying on this because using Data Table is not an available option for me.
    and I didn’t see any Google documentation where we can access Entity Explorer values via API or SOAR Action in upcoming cases. (Otherwise I would have used this feature by storing IOC enrichment info into Entity Explorer and access them in upcoming cases.)

    SoarAndy
    Staff
    Forum|alt.badge.img+12
    • SoarAndy
    • Staff
    • March 24, 2026

    The majority of entity data is Alert scoped. This is a design approach as many entity attributes fluctuate (risk, reputation, resolution, dns, dhcp, etc), and a TIP should be used for IOC sharing between platforms. So pulling from entities is not ideal.

    Have you cosidered custom lists?  They scale to hundreds thousands and have Actions in the content hub.  They are an older version of data tables, but have similar functioanlity (but a bit smaller on scale)

     

    soaruser
    Forum|alt.badge.img+3
    • soaruserBronze 1
    • Author
    • Bronze 1
    • March 24, 2026

    You are right, but we don't use external TIP platform for IOC sharing.

    And, I checked Custom Lists, but the problem is it has only 2 fields Entity Identifier and Category, doesn't allow me to store large description. 

     

    SoarAndy
    Staff
    Forum|alt.badge.img+12
    • SoarAndy
    • Staff
    • Answer
    • March 24, 2026

    You could smuggle some data in. Having the category as the IOC allows you to recall it specifically, and then have the value as a JSON, allowing prescriptive data structure.   


    Alternatively, something more scalable (and free) enter this prompt into Gemini to build you a persistent TIP :)

     

    nodejs server file, to listen on port 8080 and act as a simple TIP. Allow API calls to store a value againt an IOC, and retrive in a query. Very briefly advise the tech stack, a simple script, and provide a simple tech diagram. IOC storage should be persistant over reboots. Node should listen on any IP, and apply source IP filtering to a CIDR

     

      soaruser
      Forum|alt.badge.img+3
      • soaruserBronze 1
      • Author
      • Bronze 1
      • March 24, 2026

      Looks great, I can try this with category as IOC and it's enrichment data into Entity identifier.

      For TIP Setup: I can think of as a strategic solution.

       

      Thank you for your time and support.

      Terms & ConditionsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.