Tweak

yelevin · yelevin · commit 44f7fbfceb7c · 2023-01-29T14:57:44.000+02:00
diff --git a/articles/sentinel/detect-threats-custom.md b/articles/sentinel/detect-threats-custom.md
@@ -201,7 +201,11 @@ In the **Alert grouping** section, if you want a single incident to be generated
 - **Re-open closed matching incidents**: If an incident has been resolved and closed, and later on another alert is generated that should belong to that incident, set this setting to **Enabled** if you want the closed incident re-opened, and leave as **Disabled** if you want the alert to create a new incident.
 
     > [!NOTE]
-    > **Up to 150 alerts** can be grouped into a single incident. If more than 150 alerts are generated by a rule that groups them into a single incident, a new incident will be generated with the same incident details as the original, and the excess alerts will be grouped into the new incident.
+    >
+    > **Up to 150 alerts** can be grouped into a single incident.
+    > - The incident will only be created after all the alerts have been generated. All of the alerts will be added to the incident immediately upon its creation.
+    >
+    > - If more than 150 alerts are generated by a rule that groups them into a single incident, a new incident will be generated with the same incident details as the original, and the excess alerts will be grouped into the new incident.
 
 ## Set automated responses and create the rule
 
