diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
index 97f9cad83..f734d500b 100644
--- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
+++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/27"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
 risk_score = 73
 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7"
 severity = "high"
-tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"]
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "CVE-2020-9615", "CVE-2020-9614", "CVE-2020-9613"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -37,7 +37,8 @@ event.category:process and event.type:(start or process_started) and
                            /usr/bin/shasum or
                            /usr/bin/perl* or
                            /usr/sbin/spctl or
-                           /usr/sbin/installer)
+                           /usr/sbin/installer or
+                           /usr/bin/csrutil)
 '''