Updated investigate-incidents-windows-defender-advanced-threat-protection.md

windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md

@@ -33,14 +33,12 @@ You can investigate the alerts and see how they were linked together in the inci
 ![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-linkedbytooltip.png)
 ![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-incidentlinkedbyreason.png)
 
-Alerts are grouped into incidents for the following reasons:
+Alerts are grouped into incidents based on the following reasons:
-Automated investigation - 
+- Automated investigation - The automated investigation trigerred the linked alert while investigating the original alert 
-File characteristics - 
+- File characteristics - The files associated with the alert have similar characteristics
-Manual association - 
+- Manual association - A user manually linked the alerts
-Proximate time - 
+- Proximate time - The alerts were triggered on the same machine within a certain timeframe
-Same file - 
+- Same file - The files associated with the alert are exactly the same
-
-
 
 You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md).