diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml
index 3a90066a..87d10a81 100644
--- a/rules/linux/macos_gui_input_capture.yml
+++ b/rules/linux/macos_gui_input_capture.yml
@@ -35,5 +35,5 @@ falsepositives:
     - Legitimate administration tools and activities
 level: low
 tags:
-    - attack.discovery
+    - attack.credential_access
     - attack.t1056.002
\ No newline at end of file