Detects the first-time creation or modification of a macOS LaunchAgent or LaunchDaemon plist by a Python process on a host. The rule detects persistence attempts by Python code that writes plist files to LaunchAgent/LaunchDaemon directories. It uses Elastic Defend persistence events (event.action: launch_daemon) and focuses on the first occurrence per host within a 7-day window. The detection looks for host.os.type: macos and process.name: python*. It aligns with MITRE ATT&CK technique T1543.001 (Launch Agent/Launch Daemon) within T1543 (Create or Modify System Process). The rule highlights potential persistence via Python scripts, compromised dependencies, or model deserialization (e.g., pickle, PyTorch __reduce__). Included triage steps cover reviewing plist fields (runatload, keepalive, args, path), inspecting the Python process and script or binary referenced, validating binary trust, and scanning for related artifacts. Remediation includes unloading the plist with launchctl, removing the plist and associated binary, terminating launched processes, quarantining the script or package, and checking other hosts for distribution. This rule provides a moderate alert to help investigate possible macOS persistence through Python-driven plist persistence.