diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
index b358698cf..7ec822922 100644
--- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/05/23"
 maturity = "production"
-updated_date = "2022/05/23"
+updated_date = "2022/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -37,9 +37,10 @@ process where
 or
 /* service or systemctl used to stop Elastic Agent on Linux */
 (event.type == "end" and
-  (process.name : ("systemctl","service") and
-    process.args : ("elastic-agent", "stop"))
-  or
+  (process.name : ("systemctl", "service") and 
+    process.args : "elastic-agent" and
+    process.args : "stop") 
+  or 
   /* Unload Elastic Agent extension on MacOS */
   (process.name : "kextunload" and
     process.args : "com.apple.iokit.EndpointSecurity" and