MicrosoftDocs
diff --git a/‎articles/sentinel/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/sentinel/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/sentinel/investigate-cases.md
Lines changed: 7 additions & 1 deletion b/‎articles/sentinel/investigate-cases.md
Lines changed: 7 additions & 1 deletion
diff --git a/‎articles/sentinel/media/investigate-cases/alert-joined-to-incident.png
-153 KB b/‎articles/sentinel/media/investigate-cases/alert-joined-to-incident.png
-153 KB
diff --git a/‎articles/sentinel/media/investigate-cases/keep-or-close-other-incident.png
-89.9 KB b/‎articles/sentinel/media/investigate-cases/keep-or-close-other-incident.png
-89.9 KB
diff --git a/‎articles/sentinel/media/investigate-cases/map-entities-old.png
-195 KB b/‎articles/sentinel/media/investigate-cases/map-entities-old.png
-195 KB
diff --git a/‎articles/sentinel/media/investigate-cases/map-entities.png
75.1 KB b/‎articles/sentinel/media/investigate-cases/map-entities.png
75.1 KB
diff --git a/‎articles/sentinel/media/investigate-cases/two-alerts.png
-30.9 KB b/‎articles/sentinel/media/investigate-cases/two-alerts.png
-30.9 KB
diff --git a/‎articles/sentinel/media/relate-alerts-to-incidents/add-alert-to-incident.png
49.1 KB b/‎articles/sentinel/media/relate-alerts-to-incidents/add-alert-to-incident.png
49.1 KB
diff --git a/‎articles/sentinel/media/relate-alerts-to-incidents/add-alert-using-playbook.png
44.5 KB b/‎articles/sentinel/media/relate-alerts-to-incidents/add-alert-using-playbook.png
44.5 KB
diff --git a/‎articles/sentinel/media/relate-alerts-to-incidents/alert-joined-to-incident.png
116 KB b/‎articles/sentinel/media/relate-alerts-to-incidents/alert-joined-to-incident.png
116 KB
@@ -302,6 +302,8 @@
     items:
     - name: Investigate incidents
       href: investigate-cases.md
+    - name: Relate alerts to incidents
+      href: relate-alerts-to-incidents.md
     - name: Search large datasets
       href: search-jobs.md
     - name: Restore historical data
 
@@ -102,10 +102,12 @@ To use the investigation graph:
 
     ![Explore more details](media/investigate-cases/exploration-cases.png)
 
-   For example, on a computer you can request related alerts. If you select an exploration query, the resulting entitles are added back to the graph. In this example, selecting **Related alerts** returned the following alerts into the graph:
+    For example, you can request related alerts. If you select an exploration query, the resulting entitles are added back to the graph. In this example, selecting **Related alerts** returned the following alerts into the graph:
 
     :::image type="content" source="media/investigate-cases/related-alerts.png" alt-text="Screenshot: view related alerts" lightbox="media/investigate-cases/related-alerts.png":::
 
+    See that the related alerts appear connected to the entity by dotted lines.
+
 1. For each exploration query, you can select the option to open the raw event results and the query used in Log Analytics, by selecting **Events\>**.
 
 1. In order to understand the incident, the graph gives you a parallel timeline.
@@ -116,6 +118,10 @@ To use the investigation graph:
 
     :::image type="content" source="media/investigate-cases/use-timeline.png" alt-text="Screenshot: use timeline in map to investigate alerts.'" lightbox="media/investigate-cases/use-timeline.png":::
 
+## Focus your investigation
+
+Learn how you can broaden or narrow the scope of your investigation by either [adding alerts to your incidents or removing alerts from incidents](relate-alerts-to-incidents.md).
+
 ## Similar incidents (preview)
 
 As a security operations analyst, when investigating an incident you'll want to pay attention to its larger context. For example, you'll want to see if other incidents like this have happened before or are happening now.