diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
new file mode 100644
index 00000000000..d368bfb44f0
--- /dev/null
+++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2022/05/23"
+maturity = "production"
+updated_date = "2022/05/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
+disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
+may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
+stable state.
+"""
+from = "now-9m"
+index = ["logs-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Elastic Agent Service Terminated"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+risk_score = 47
+rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where
+/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
+(event.type == "start" and
+  process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and 
+  process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
+  process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) 
+or
+/* service or systemctl used to stop Elastic Agent on Linux */
+(event.type == "end" and
+  (process.name : ("systemctl","service") and 
+    process.args : ("elastic-agent", "stop")) 
+  or 
+  /* Unload Elastic Agent extension on MacOS */
+  (process.name : "kextunload" and
+    process.args : "com.apple.iokit.EndpointSecurity" and 
+    event.action : "end"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+