diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
index 38ef18992..45a66834f 100644
--- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
+++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/20"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://theevilbit.github.io/posts/cve_2020_9771/"]
 risk_score = 73
 rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
 severity = "high"
-tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "CVE_2020_9771"]
 timestamp_override = "event.ingested"
 type = "query"