diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 68c1f4ea58..12748d73fe 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -27,10 +27,12 @@
 #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
 #### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
 #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
-##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 ##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
 #### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
 #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index e45b827728..ca5647a630 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -52,12 +52,14 @@ You'll also see details such as logon types for each user account, the user grou
 
  For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
 
+## Alerts related to this machine
 The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
 
 This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
 
 You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
 
+## Machine timeline
 The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
 
 This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.