Skip to main content
Question

What is the maximum number of entries allowed in a Reference List?

  • April 22, 2026
  • 1 reply
  • 26 views
desertfalcon

Hi everyone,

I'm working with Reference Lists in Google SecOps (Chronicle) and planning to use them to store IOCs (Indicators of Compromise) such as IPs, domains, hashes, and URLs for detection rules.

Before I start populating them at scale, I'd like to confirm a few things:

  1. What is the maximum number of entries a single Reference List can hold?
  2. Is there a size limit (in MB/KB) per Reference List, in addition to or instead of an entry count limit?
  3. Are the limits different based on the list type (e.g., String, Regex, CIDR)?
  4. Is there a limit on the total number of Reference Lists per tenant/instance?
  5. If I exceed the limit, what's the recommended approach — splitting IOCs across multiple lists, or another mechanism?

Any pointers to official documentation or real-world experience with large IOC lists would be greatly appreciated.

Thanks in advance!

1 reply

cmorris
Staff
Forum|alt.badge.img+12
  • cmorris
  • Staff
  • April 22, 2026

There are size limits, max number of line limits, and max number of character limits that all vary by the list type - https://docs.cloud.google.com/chronicle/docs/reference/service-limits#reference_list_limits

 

Note that reference lists are being deprecated and replaced with data tables - https://docs.cloud.google.com/chronicle/docs/deprecations#:~:text=the%20forwarder%20component.-,Reference%20lists,-June%202026.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.