There are two things you could do:
Scheduling is done at the receiver. You can define a daily data pull. So for example, you could schedule the pull between 6:00 PM and 7:00 AM
The advantage of course would be that the pull would be off hours, so employee's work would not be affected.
The disadvantage would be that this would affect aggregation, potentially affect the ESM (pulling events in the past)
Go to device properties
Click on Events, Flows and Logs
See checkbox "Define daily data pull time range"
Throttling is the other option. (Outbound traffic Control)
This would throttle the throughputo on all NIC's on specifed IP ranges or device to a certain bandwidth. This would allow the network to continue to function under low bandwith conditions
The disadvantage is potential dala loss, or loss orf communication to the device if throttle is set too low.
We have to deal with this quite a lot. What we have done so far is (1) increase polling rate so that the amount of information pulled each time is reduced. This evens out the load on the link a bit, more smaller spikes. (2) Use QoS policies to limit the maximum link utilisation. (3) Reduce volume by adjusting the audit settings on the systems in question. Not great and event storms can still make a mess of the link but works most of the time.