fixing links

Author: batamig

articles/sentinel/incident-investigation.md

@@ -41,7 +41,7 @@ Microsoft Sentinel incidents give you tools to help your Security Operations (Se
 
 1. Use incident details to audit your incident management. The incident **activity log** tracks actions taken on an incident, whether initiated by humans or automated processes, and displays them along with all the comments on the incident.
 
-  You can add your own comments here as well. For more information, see [Investigate your incident in depth](investigate-incidents.md#investigate-your-incident-in-depth).
+  You can add your own comments here as well. For more information, see [Investigate Microsoft Sentinel incidents in depth in the Azure portal](investigate-incidents.md).
 
 ## Investigate effectively and efficiently
 
@@ -62,7 +62,7 @@ Use Microsoft Sentinel incidents to investigate security incidents effectively a
   - The **alert provider**, in the second part of the subtitle. For bookmarks, the **creator** of the bookmark.
   - The MITRE ATT&CK **tactics** associated with the alert, indicated by icons and ToolTips, in the third part of the subtitle.
 
-  For more information, see [Incident timeline](investigate-incidents.md#incident-timeline).
+  For more information, see [Reconstruct the timeline of attacker activity](investigate-incidents.md#reconstruct-the-timeline-of-attacker-activity).
 
 1. **Learn from similar incidents**. If anything you’ve seen so far in your incident looks familiar, there may be good reason. Microsoft Sentinel stays one step ahead of you by showing you the incidents most similar to the open one. 
 
@@ -96,7 +96,7 @@ Use Microsoft Sentinel incidents to investigate security incidents effectively a
 
   Incident similarity is recalculated every time you enter the incident details page, so the results might vary between sessions if new incidents were created or updated.
 
-  For more information, see [Similar incidents](investigate-incidents.md#similar-incidents).
+  For more information, see [Check for similar incidents in your environment](investigate-incidents.md#check-for-similar-incidents-in-your-environment).
 
 1. **Examine top insights**. Next, having the broad outlines of what happened (or is still happening), and having a better understanding of the context, you’ll be curious about what interesting information Microsoft Sentinel has already found out for you. 
 
@@ -132,7 +132,7 @@ Use Microsoft Sentinel incidents to investigate security incidents effectively a
 
   - **Classify the entity as an [indicator of compromise (IOC)](add-entity-to-threat-intelligence.md)** and add it to your Threat intelligence list.
 
-  Each of these actions is currently supported for certain entity types and not for others. The following table shows which actions are supported for each entity type:
+  <a name=supported-actions></a>Each of these actions is currently supported for certain entity types and not for others. The following table shows which actions are supported for each entity type:
 
   | Available actions &#9654;<br>Entity types &#9660;  | View full details<br>(in entity page) | Add to TI * | Run playbook *<br>(Preview) |
   | ----- | :----: | :----: | :----: |
@@ -177,7 +177,7 @@ The activity log is constantly auto-refreshing, even while open, so you can see
 
     In that case, filter the incident list by **Owner** to limit the list to the incidents assigned to you or to your team. This filtered set represents your personal workload.
 
-    Otherwise, you can perform basic triage yourself. Start by filtering the list of incidents by available filtering criteria, whether status, severity, or product name. For more information, see [Search for incidents](#search-for-incidents).
+    Otherwise, you can perform basic triage yourself. Start by filtering the list of incidents by available filtering criteria, whether status, severity, or product name. For more information, see [Search for incidents](incident-navigate-triage.md#search-for-incidents).
 
 1. Triage a specific incident and take some actions on it immediately, right from the details pane on the **Incidents** page, without having to enter the incident’s full details page.
 
@@ -191,7 +191,7 @@ The activity log is constantly auto-refreshing, even while open, so you can see
 
         Recently selected users and groups appear at the top of the pictured drop-down list.
 
-    - **Update the incident’s status** (for example, from **New** to **Active** or **Closed**) by selecting from the **Status** drop-down list. When closing an incident, you're required to specify a reason. For more information, see [Closing an incident](#closing-an-incident).
+    - **Update the incident’s status** (for example, from **New** to **Active** or **Closed**) by selecting from the **Status** drop-down list. When closing an incident, you're required to specify a reason. For more information, see [Close an incident](incident-navigate-triage.md#close-an-incident).
 
     - **Change the incident’s severity** by selecting from the **Severity** drop-down list.
 
@@ -201,7 +201,7 @@ The activity log is constantly auto-refreshing, even while open, so you can see
 
 1. If the information in the details pane is sufficient to prompt further remediation or mitigation actions, select the **Actions** button at the bottom to do one of the following:
 
-    - **Investigate:** use the [graphical investigation tool](#investigate-incidents-visually-using-the-investigation-graph) to discover relationships between alerts, entities, and activities, both within this incident and across other incidents.
+    - **Investigate:** use the [graphical investigation tool](investigate-incidents.md#investigate-incidents-visually-using-the-investigation-graph) to discover relationships between alerts, entities, and activities, both within this incident and across other incidents.
 
     - **Run playbook:** run a [playbook](automate-responses-with-playbooks.md#run-a-playbook-manually) on this incident to take particular [enrichment, collaboration, or response actions](automate-responses-with-playbooks.md#use-cases-for-playbooks) such as your SOC engineers might have made available.
 
@@ -213,10 +213,6 @@ The activity log is constantly auto-refreshing, even while open, so you can see
 
 1. If more information about the incident is needed, select **View full details** in the details pane to open and see the incident's details in their entirety, including the alerts and entities in the incident, a list of similar incidents, and selected top insights.
 
-## Next step
-
-[Navigate, triage, and manage Microsoft Sentinel incidents in the Azure portal](incident-navigate-triage.md)
-
 ## Related content
 
 In this document, you learned how the Microsoft Sentinel incident investigation experience in the Azure portal helps you [carry out an investigation in a single context](investigate-incidents.md). For more information about managing and investigating incidents, see the following articles:
@@ -226,3 +222,7 @@ In this document, you learned how the Microsoft Sentinel incident investigation
 - [Automate incident handling in Microsoft Sentinel with automation rules](automate-incident-handling-with-automation-rules.md).
 - [Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](identify-threats-with-entity-behavior-analytics.md)
 - [Hunt for security threats](./hunting.md).
+
+## Next step
+
+[Navigate, triage, and manage Microsoft Sentinel incidents in the Azure portal](incident-navigate-triage.md)

articles/sentinel/incident-navigate-triage.md

@@ -54,7 +54,7 @@ This article describes how to navigate and run basic triage on your incidents in
 
         Recently selected users and groups appear at the top of the pictured drop-down list.
 
-    - **Update the incident’s status** (for example, from **New** to **Active** or **Closed**) by selecting from the **Status** drop-down list. When closing an incident, you're required to specify a reason. For more information, see [Closing an incident](#closing-an-incident).
+    - **Update the incident’s status** (for example, from **New** to **Active** or **Closed**) by selecting from the **Status** drop-down list. When closing an incident, you're required to specify a reason. For more information, see [Close an incident](#close-an-incident).
 
     - **Change the incident’s severity** by selecting from the **Severity** drop-down list.
 
@@ -64,7 +64,7 @@ This article describes how to navigate and run basic triage on your incidents in
 
 1. If the information in the details pane is sufficient to prompt further remediation or mitigation actions, select the **Actions** button at the bottom to do one of the following:
 
-    - **Investigate:** use the [graphical investigation tool](#investigate-incidents-visually-using-the-investigation-graph) to discover relationships between alerts, entities, and activities, both within this incident and across other incidents.
+    - **Investigate:** use the [graphical investigation tool](investigate-incidents.md#investigate-incidents-visually-using-the-investigation-graph) to discover relationships between alerts, entities, and activities, both within this incident and across other incidents.
 
     - **Run playbook:** run a [playbook](automate-responses-with-playbooks.md#run-a-playbook-manually) on this incident to take particular [enrichment, collaboration, or response actions](automate-responses-with-playbooks.md#use-cases-for-playbooks) such as your SOC engineers might have made available.
 

articles/sentinel/investigate-incidents.md

@@ -39,7 +39,7 @@ As you're setting up to investigate an incident, assemble the things you need to
 
 1.  Select **Tasks** to [see the tasks assigned for this incident](work-with-tasks.md#view-and-follow-incident-tasks), or to [add your own tasks](work-with-tasks.md#manually-add-an-ad-hoc-task-to-an-incident). Tasks can improve process standardization in your SOC. For more information, see [Use tasks to manage incidents in Microsoft Sentinel](incident-tasks.md).
 
-1. Select **Activity log** to see if any actions have already been taken on this incident—by automation rules, for example—and any comments that have been made. You can add your own comments here as well. For more information, see [Audit and comment on incidents](#audit-and-comment-on-incidents).
+1. Select **Activity log** to see if any actions have already been taken on this incident—by automation rules, for example—and any comments that have been made. You can add your own comments here as well. For more information, see [Audit and comment on incidents](incident-navigate-triage.md#audit-and-comment-on-incidents).
 
 1. Select **Logs** at any time to open a full, blank Log analytics query window *inside* the incident page. Compose and run a query, related or not, without leaving the incident. So, whenever you're struck with sudden inspiration to go chasing a thought, don't worry about interrupting your flow--the logs are there for you. For more information, see [Dive deeper into your data in Logs](#dive-deeper-into-your-data-in-logs).
 
@@ -75,9 +75,9 @@ The rest of the incident details page is divided into two tabs, **Overview** and
 
 The **Overview** tab contains the following widgets, each of which represents an essential objective of your investigation.
 
-- The **Incident timeline** widget shows you the timeline of alerts and [bookmarks](bookmarks.md) in the incident, which can help you reconstruct the timeline of attacker activity. Select an individual item to see all of its details, enabling you to drill down further. For more information, see [Incident timeline](#incident-timeline).
+- The **Incident timeline** widget shows you the timeline of alerts and [bookmarks](bookmarks.md) in the incident, which can help you reconstruct the timeline of attacker activity. Select an individual item to see all of its details, enabling you to drill down further. For more information, see [Reconstruct the timeline of attacker activity](#reconstruct-the-timeline-of-attacker-activity).
 
-- In the **Similar incidents** widget, you see a collection of up to 20 other incidents that most closely resemble the current incident. This allows you to view the incident in a larger context and helps direct your investigation.  For more information, see [Similar incidents](#similar-incidents).
+- In the **Similar incidents** widget, you see a collection of up to 20 other incidents that most closely resemble the current incident. This allows you to view the incident in a larger context and helps direct your investigation.  For more information, see [Check for similar incidents in your environment](#check-for-similar-incidents-in-your-environment).
 
 - The **Entities** widget shows you all the [entities](entities.md) that have been identified in the alerts. These are the objects that played a role in the incident, whether they be users, devices, addresses, files, or [any other types](./entities-reference.md). Select an entity to see its full details, which are displayed in the **Entities tab**. For more information, see [Explore the incident's entities](#explore-the-incidents-entities).
 
@@ -156,9 +156,9 @@ You can search the list of entities in the entities widget, or filter the list b
 
 :::image type="content" source="media/investigate-incidents/entity-actions-from-overview.png" alt-text="Screenshot of the actions you can take on an entity from the overview tab.":::
 
-If you already know that a particular entity is a known indicator of compromise, select the three dots on the entity's row and choose **Add to TI** to [add the entity to your threat intelligence](add-entity-to-threat-intelligence.md). (This option is available for [supported entity types](incident-investigation.md#view-entities).)
+If you already know that a particular entity is a known indicator of compromise, select the three dots on the entity's row and choose **Add to TI** to [add the entity to your threat intelligence](add-entity-to-threat-intelligence.md). (This option is available for [supported entity types](incident-investigation.md#supported-actions).)
 
-If you want to [trigger an automatic response sequence for a particular entity](respond-threats-during-investigation.md), select the three dots and choose **Run playbook (Preview)**. (This option is available for [supported entity types](incident-investigation.md#view-entities).)
+If you want to [trigger an automatic response sequence for a particular entity](respond-threats-during-investigation.md), select the three dots and choose **Run playbook (Preview)**. (This option is available for [supported entity types](incident-investigation.md#supported-actions).)
 
 Select an entity to see its full details. When you select an entity, you move from the **Overview tab** to the **Entities tab**, another part of the incident details page.
 

articles/sentinel/scheduled-rules-overview.md

@@ -257,7 +257,7 @@ To learn all about the different kinds of responses that can be crafted and auto
 
 Under the **Automation rules** heading, the wizard displays a list of the automation rules already defined on the whole workspace, whose conditions apply to this analytics rule. You can edit any of these existing rules, or you can [create a new automation rule](create-manage-use-automation-rules.md) that applies only to this analytics rule.
 
-Use automation rules to perform [basic triage](investigate-incidents.md#navigate-and-triage-incidents), assignment, [workflow](incident-tasks.md), and closing of incidents. 
+Use automation rules to perform [basic triage](incident-navigate-triage.md#navigate-and-triage-incidents), assignment, [workflow](incident-tasks.md), and closing of incidents. 
 
 Automate more complex tasks and invoke responses from remote systems to remediate threats by calling playbooks from these automation rules. You can invoke playbooks for incidents as well as for individual alerts.