So it sounds like your flow is creating a new alert. If you don't think that should be happening you might start checking a few areas. Check your alert score aggregation policy to make sure it represents what you are trying to enable.
- When the Do not compute a score from the provided activity or Compute the score from the activity in the current alerting event score aggregation policy is selected, the scorecard displays only the scenario-fired events in the current alerting event.
- When the Compute the score from the unique alerting activity in all the alerting events score aggregation policy is selected, the scorecard displays all the scenario-fired events in the current alerting event as well as all the unique scenario-fired events in prior alerting events for this alert version.
- When the Compute the score from all the activity in all the alerting events score aggregation policy is selected, the scorecard displays all the scenario-fired events in the current alerting event as well as all the events in prior alerting events for this alert version.
From what you said it sounds like the system is finding "new" activity and alerting on it. Example: An alert comes up for Joe Smith and a user dispositions it. That disposition creates a case and closes the alert. That alert only stays closed until new activity that meets the alerting threshold criteria comes into the system. If that isn't what you are wanting in terms of behavior you could look at the alert disposition option to keep the alert suppressed until the score in creases by % or X amount.
Reactivate after a Score Increase
Suppresses the alert and keeps it suppressed unless its score changes. You can specify whether the score must increase by a percentage or by an exact amount. You can indicate that the alert should be reactivated if the score goes above a specified value.