diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
index 32227e46b..06ece7f95 100644
--- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
@@ -24,6 +24,9 @@ detection:
 level: medium
 tags:
     - attack.impact
+    - attack.credential_access
+    - attack.t1552
+    - attack.t1552.001
 falsepositives:
  - Key being modified or deleted may be performed by a system administrator. 
  - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.