Fix bulleted lists

docs/en/enterprise-edition/content-collections/runtime-security/runtime-defense/runtime-audits.adoc

@@ -14,7 +14,9 @@ This document summarizes all the runtime audits (detections) that are available
 |Indicates when a process that is not part of the runtime model was spawned.
 
 * Avoid audits for specific known and allowed processes, by adding the process name to the runtime rules processes *Allowed* list.
+
 * In order to add the processes to the model, navigate to the relevant model under *Monitor > Runtime > Container* models, then click on *...* and select *Extend learning*
+
 |
 * <process> launched but is not found in the runtime model
 * <process> launched from <parent process> but is not found in the runtime model
@@ -42,6 +44,7 @@ App-embedded
 |Indicates a modified process was spawned. A modified process is a process whose binary was created or modified after the container was started.
 
 * Enable and disable this detection via the *Processes started from modified binaries* toggle, under the Runtime rule Processes tab
+
 * Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes *Allowed* list.
 
 |A modified executable <process>  was launched
@@ -54,6 +57,7 @@ App-embedded
 |Indicates that a package binary file was replaced during image build. This detection will generate an audit when a process is started from an altered binary.
 
 * Enable and disable this detection via the *Processes started from modified binaries* toggle, under the Runtime rule Processes tab
+
 * Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes *Allowed* list.
 
 |<process path> launched and is detected as an altered or corrupted package binary. The file metadata doesn't match what’s reported by the package manager.
@@ -66,6 +70,7 @@ App-embedded
 |Indicates a process that is identified as a crypto miner was spawned.
 
 * Enable and disable this detection via the *Crypto miners* toggle, under the Runtime rule Processes / Anti-malware tab.
+
 * Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes *Allowed* list.
 
 |<process> launched and is identified as a crypto miner. Full command: <path>
@@ -80,6 +85,7 @@ App-embedded
 |Indicates a process that is used for lateral movement was spawned.
 
 * Enable and disable this detection via the *Processes used for lateral movement* toggle, under the Runtime rule Processes tab.
+
 * Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes *Allowed* list.
 
 |<process> launched and is identified as a process used for lateral movement. Full command: <path>
@@ -91,6 +97,7 @@ Containers
 |Indicates that a process is running from a temporary file system.
 
 * Enable and disable this detection via the *Processes running from temporary storage* toggle, under the Runtime rule Anti-malware tab.
+
 * Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes *Allowed* list.
 
 |<process> launched from a temporary file storage, which usually indicates malicious activity.
@@ -109,6 +116,7 @@ Hosts
 |Indicates that a process was identified as running a reverse shell
 
 * Enable and disable this detection via the *Reverse shell attacks* toggle, under the Runtime rule Processes / Anti-malware tab.
+
 * Avoid audits on specific known and allowed processes, by adding process names to the runtime rules processes *Allowed* list.
 
 |<processes> is a reverse shell. Full command: <path>