The Alerts Overflow mechanism was designed to prevent system overflow, when lots of alerts from the same environment, product and rule are occurring in a short period of time. The default configuration is more than 50 alerts in 10 minutes.
If configured, an Overflow case will be added to the case queue, with one alert indicating the environment, product and rule of the overflowing alert, and an Overflow tag.
The Alert Grouping mechanism was designed to intelligently group alerts into cases, by mutual entities and time proximity, and help the analyst to perform contextual analysis of multiple alerts in one case.
This means you would see multiple alerts in one case, and mutual entities marked in the entities list and the Explorer screen.
Need more help with this?
Click here to open a Support ticket