What is the difference between Alert Grouping and Alert Overflow?
The Alerts Overflow mechanism was designed to prevent system overflow, when
lots of alerts from the same environment, product and rule are occurring in a
short period of time. The default configuration is more than 50 alerts in 10
minutes.
If configured, an Overflow case will be added to the case queue,
with one alert indicating the environment, product and rule of the overflowing
alert, and an Overflow tag.
The Alert Grouping mechanism was designed to intelligently group alerts into
cases, by mutual entities and time proximity, and help the analyst to perform
contextual analysis of multiple alerts in one case.
This means you would
see multiple alerts in one case, and mutual entities marked in the entities
list and the Explorer screen.