This rule detects instances when the Elastic Agent, a crucial endpoint monitoring tool, stops functioning on a host. Such an event can indicate potential security risks, as adversaries may try to disable security tools to bypass detection mechanisms during an attack. The rule identifies suspicious process terminations and their arguments across various operating systems including Windows, Linux, and macOS. An effective implementation of this rule requires proper setup and consideration of valid maintenance activities to mitigate false positives while ensuring robust detection capabilities.