diff --git a/user-stories/README.md b/user-stories/README.md
index 17dad86..f41eb28 100644
--- a/user-stories/README.md
+++ b/user-stories/README.md
@@ -4,7 +4,7 @@
 |-|-|
 | As a lead threat intelligence analyst, I want to lead a team focused on hunting down threats so that I can prevent attacks against ICT infrastructures and organizations | <ul> <li>Monitor what teams are up to in real-time using the Live Dashboard </li></ul>|
 | As a threat analyst, I want to research, analyze and reverse engineer malware so that I can know how to counter it | <ul> <li> Attach and download files and malware samples from events</li> <li>Search for hashes/IPs/domains/URLs from malware events, or add malware samples hashes to an event</li> <li>Analyse observables and malware collected during an incident (e.g. domain name, IP addresses etc.) by checking whether observables are IoCs or false positives using ‘correlation graph’ and ‘expansion modules’.</li> <li> Enrich malware events by querying data sources external to MISP using modules</li>  <li>Perform dynamic malware analysis correlations</li> <li> Submit events with malware samples to analysis tools (e.g VirusTotal, VMRay) for further analysis, and then extend MISP with malware analysis results</li> </ul> |
-| As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture. | <ul> <li>Import data from external sources</li> <li>Add feeds</li> <li>Contextualise events and attributes using tags, taxonomies and galaxies</li></li> |
+| As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture. | <ul> <li>Import data from external sources</li> <li>Add feeds</li> <li>Contextualise events and attributes using tags, taxonomies and galaxies</li></ul> |
 | As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness | <ul> <li>Setup different models of distribution on MISP instance</li> <li>Sync events and attributes between instances</li> <li>Use filtering functionalities to meet an organisation's sharing policy</li> <li>Share information, pentest information, malware samples, vulnerabilities internally and externally</li> <li>Use feature/achievements widget adding gamification to the information sharing</li> </ul> |
 | As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage | <ul>  <li>Import lists of indicators and check if the IOCs are present in feeds.</li> <li>Monitor statistics and sightings using widgets</li> <li>Show live data and stats from one or more MISP instances via the Dashboard</li> <li>Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ</li> <li>Use sightings to notify an instance about activities related to an indicator</li> </ul> |
 | As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats | <ul><li>Join communities and subscribe to the feeds</li> <li>Add events and assign events to specific feeds</li> <li>Correlate indicators using MISP's automated correlation engine</li> <li> Use the overlap feed analysis available in MISP</li> <li>Link events and attributes using the correlation graph</li> <li>Analyse and gain more information on attributes using modules</li> <li>Link events with malware, threat actors etc using galaxies (e.g ATT&CK)</li></ul> |