Relate alerts to incidents documentation

Author: yelevin

articles/sentinel/investigate-cases.md

@@ -102,10 +102,12 @@ To use the investigation graph:
 
     ![Explore more details](media/investigate-cases/exploration-cases.png)
 
-   For example, on a computer you can request related alerts. If you select an exploration query, the resulting entitles are added back to the graph. In this example, selecting **Related alerts** returned the following alerts into the graph:
+    For example, you can request related alerts. If you select an exploration query, the resulting entitles are added back to the graph. In this example, selecting **Related alerts** returned the following alerts into the graph:
 
     :::image type="content" source="media/investigate-cases/related-alerts.png" alt-text="Screenshot: view related alerts" lightbox="media/investigate-cases/related-alerts.png":::
 
+    See that the related alerts appear connected to the entity by dotted lines.
+
 1. For each exploration query, you can select the option to open the raw event results and the query used in Log Analytics, by selecting **Events\>**.
 
 1. In order to understand the incident, the graph gives you a parallel timeline.
@@ -116,6 +118,10 @@ To use the investigation graph:
 
     :::image type="content" source="media/investigate-cases/use-timeline.png" alt-text="Screenshot: use timeline in map to investigate alerts.'" lightbox="media/investigate-cases/use-timeline.png":::
 
+## Expand incidents
+
+[Learn how you can add alerts to your incidents or remove alerts from incidents](expand-incidents.md).
+
 ## Similar incidents (preview)
 
 As a security operations analyst, when investigating an incident you'll want to pay attention to its larger context. For example, you'll want to see if other incidents like this have happened before or are happening now.