From 183b337a01a2e3d6b5a2915887630ffb1df8d822 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 17 Feb 2026 22:30:34 +0000
Subject: [PATCH] [Tuning] Elastic Agent Service Terminated (#5730)

* Update defense_evasion_elastic_agent_service_terminated.toml

* Update defense_evasion_elastic_agent_service_terminated.toml
---
 ...evasion_elastic_agent_service_terminated.toml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
index c8ea20b27..3e4f6418a 100644
--- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/05/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/11/04"
+updated_date = "2026/02/12"
 
 [rule]
 author = ["Elastic"]
@@ -49,18 +49,16 @@ process where
   process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
 or
 /* service or systemctl used to stop Elastic Agent on Linux */
-(event.type == "end" and
+(event.type == "start" and
   (process.name in ("systemctl", "service", "chkconfig", "update-rc.d") and
-    process.args : ("elastic-agent", "elastic-agent.service") and
+    process.args : ("elastic-agent", "elastic-agent.service", "ElasticEndpoint") and
     process.args : ("stop", "disable", "remove", "off", "kill", "mask"))
   or
-  /* pkill , killall used to stop Elastic Agent on Linux */
-  ( event.type == "end" and process.name in ("pkill", "killall", "kill") and process.args: "elastic-agent")
+  /* pkill , killall used to stop Elastic Agent or Endpoint on Linux */
+(event.type == "start" and process.name in ("pkill", "killall", "kill") and process.args : ("elastic-agent", "elastic-endpoint"))
   or
-  /* Unload Elastic Agent extension on MacOS */
-  (process.name : "kextunload" and
-    process.args : "com.apple.iokit.EndpointSecurity" and
-    event.action : "end"))
+  /* Unload Elastic Defend extension on MacOS */
+(event.type == "start" and process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity"))
 '''
 note = """## Triage and analysis