diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml
index 0d34bf82dcd..b75176fef92 100644
--- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml
+++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/05/15"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ are used to store public keys for SSH authentication. Unauthorized deletion of t
 of an attacker removing access to the system, and may be a precursor to further malicious activity.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SSH Authorized Keys File Deletion"