Hi Google Team,
We have successfully integrated Microsoft Intune logs into Google SecOps using a third-party Graph API feed. The feed configuration appears to be working — logs are being ingested and the feed shows a healthy status.
However, we've noticed a significant discrepancy in log size:
- **In Google SecOps (via the feed):** Ingested log size is approximately **40 KB**
- **Manual API retrieval (direct Graph API call):** The same file/export is approximately **6 MB**
This is roughly a 150x difference, which strongly suggests that the feed is either truncating or only partially ingesting the log data.
**What we've already ruled out:**
- Feed configuration is confirmed successful with no visible errors
- Authentication against the Microsoft Graph API is working correctly
- we have verified via direct API calls that pagination exist in the returned logs file and the full dataset is returned when querying manually
**Questions:**
1. Is there a known ingestion size cap or event limit per feed cycle for third-party Graph API feeds in Google SecOps?
2. Could the feed be silently truncating payloads beyond a certain size threshold?
3. Are there any feed-level or forwarder-level settings (e.g., max payload size, batch size limits) that could explain why only ~40 KB out of ~6 MB is making it through?
4. Is there a way to enable verbose feed logging to identify exactly where the data loss is occurring?
Any insight from the community or Google SecOps team would be greatly appreciated.
