Thanks @Idan Patelsky

Just to clarify, so for example, lets say i set the grouping time frame to an hour.
Max alert grouped into a case is 5

Alert 1 time: 7pm
Alert 2 time: 7:30pm
Alert 3 time: 8:30pm

So the first time the connector ran and pulled in these 3 alerts, are they all grouped into same case? Notice that Alert 3 generated time is an hour 30 minutes from the first one. So does Siemplify group only alert 1 and 2 or the 3 are grouped into same case? And also when a new alert is added to a case, does the 1 hour time frame starts counting for each alert individually and in as much the Max alert allowed in a case is not met, the alert gets added to the case?
Just trying to clarify this based on some observations

this is a great question! I’m also curious to know the answer

@Joseph Time proximity is another factor (not the sole one) enabling the system to group related alerts.
In your example, alert 1&2 or alert 2&3 can be grouped together depends on other factors (for example: shared entities), but alerts 1&3 won't be grouped because time proximity criteria wasn't met.

Alright @Idan Patelsky , thanks