diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
index 663ef14..0bee5d5 100644
--- a/aucoalesce/normalizations.yaml
+++ b/aucoalesce/normalizations.yaml
@@ -1251,7 +1251,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ACCEPT - Auditd accepted remote connection
   - record_types: DAEMON_ACCEPT
     action: remote-audit-connected