From 5f84ef4a5a9fa33fad7c72ef36ad87c178e0ac5f Mon Sep 17 00:00:00 2001
From: Dolcita Montemayor <dolmont@microsoft.com>
Date: Wed, 19 Sep 2018 10:49:41 +0000
Subject: [PATCH] Updated
 investigate-incidents-windows-defender-advanced-threat-protection.md

---
 ...idents-windows-defender-advanced-threat-protection.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
index fc807d86e6..cae85dfb3d 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
@@ -33,6 +33,15 @@ You can investigate the alerts and see how they were linked together in the inci
 ![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-linkedbytooltip.png)
 ![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-incidentlinkedbyreason.png)
 
+Alerts are grouped into incidents for the following reasons:
+Automated investigation - 
+File characteristics - 
+Manual association - 
+Proximate time - 
+Same file - 
+
+
+
 You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). 
 
 ### Machines