From b5e5822c1fff27e33bce16d915d44a3f6977a860 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 8 Apr 2026 22:11:43 +0100
Subject: [PATCH] Update
 persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
 (#5937)

---
 ...thon_launch_agent_or_daemon_creation_first_occurrence.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
index af2fe4da7..a9d573542 100644
--- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
+++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
@@ -2,7 +2,7 @@
 creation_date = "2026/02/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Pytho
 persistence mechanisms, so a first occurrence is a strong indicator of compromise.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.persistence-*"]
+index = ["logs-endpoint.events.file-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Python Created a LaunchAgent or LaunchDaemon"