diff --git a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
index 65c7974a3..ef44ce775 100644
--- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
@@ -4,11 +4,15 @@ status: test
 description: Identifies when a device or device configuration in azure is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+    - https://attack.mitre.org/techniques/T1485
+    - https://attack.mitre.org/techniques/T1565/001
 author: Austin Songer @austinsonger
 date: 2021/09/03
 modified: 2022/10/09
 tags:
     - attack.impact
+    - attack.1485
+    - attack.t1565.001
 logsource:
     product: azure
     service: activitylogs