diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
index af2fe4da7..a9d573542 100644
--- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
+++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
@@ -2,7 +2,7 @@
 creation_date = "2026/02/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Pytho
 persistence mechanisms, so a first occurrence is a strong indicator of compromise.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.persistence-*"]
+index = ["logs-endpoint.events.file-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Python Created a LaunchAgent or LaunchDaemon"