From 309e71491b4e0bd84586e00a384432fc5aac4cd6 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Tue, 17 Aug 2021 08:44:39 -0500
Subject: [PATCH] Update azure_keyvault_key_modified_or_deleted.yml

---
 rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
index 32227e46b..06ece7f95 100644
--- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
@@ -24,6 +24,9 @@ detection:
 level: medium
 tags:
     - attack.impact
+    - attack.credential_access
+    - attack.t1552
+    - attack.t1552.001
 falsepositives:
  - Key being modified or deleted may be performed by a system administrator. 
  - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.