This detection rule identifies attempts to unload the Elastic Endpoint Security kernel extension using the `kextunload` command on macOS systems. The rule leverages logs from Elastic Endpoint Security to monitor process events specifically focusing on the execution of `kextunload` targeted at the `EndpointSecurity.kext` extension. Unloading this kernel extension poses a substantial risk as it can allow adversaries to impair detection capabilities on the system, making it essential to promptly identify such actions. The ruleset outlines setup instructions through Elastic Defend, prerequisites involving Elastic Agent configuration, and details for monitoring process events to trace potential malicious activity. Additional investigative steps include reviewing process behavior, user activity, corroborating logs, and understanding the context of command executions. The rule also addresses the potential for false positives, such as legitimate administrative tasks or software updates, highlighting the need for context evaluation and potential whitelist mechanisms during maintenance or testing periods. Overall, the rule integrates closely with MITRE ATT&CK tactics and techniques to promote effective threat detection and incident response planning.