Update api-incident.md

Author: American-Dipper

defender-xdr/api-incident.md

@@ -73,7 +73,7 @@ Refer to the respective method articles for more details on how to construct a r
 | status | Enum | Specifies the current status of the incident. Possible values are: `Active`, `InProgress`, `Resolved`, and `Redirected`. |
 | classification | Enum | Specification of the incident. Possible values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`. |
 | determination | Enum | Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) – consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li>  <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other). |
-| tags | string list | List of Incident tags. (customTags only) |
+| tags | string list | List of Incident tags (customTags only). |
 | comments | List of incident comments | Incident Comment object contains: comment string, createdBy string, and createTime date time. |
 | alerts | alert list | List of related alerts. See examples at [List incidents](api-list-incidents.md) API documentation. |