Here is the documentation page on alert grouping

https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin

Grouping can be set for 30min out until 24 hours per the docs, you can define the number of alerts that are grouped into a single case and if you exceed that overflow cases will be added. The grouping  can be a number of different options, for instance, we have set up grouping on the internal IP or hostname in some cases or an internal user, with the assumption that these are the assets and users targeted. I found that this portion of the grouping is the one that takes a bit of testing to ensure you are getting your grouping set how you would want it.

I found this example in doc , is the number of alerts for overflow case is set to 30?

"For example, 50 phishing alerts are ingested within 8 minutes. The 51st alert is then shunted off into an overflow case.
Over the next three hours another 119 phishing alerts are ingested. This means that four overflow cases are created. Each case containing 30 alerts. Once the three hours are up, we go back to default status."

There are two separate settings, an initial value for alert grouping, which is capped at 30, and then if it is an overflow case, a separate value, up to 100, defined to these overflow cases. Both can have their own time ranges assigned to it.

I think we may need to review that example a bit and see if we can't be a bit more clear.

HI @jstoner 

I tested overflow , i could see number of alerts triggered and number of alerts ingested were not matching.