diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
index 563e343..db3b273 100644
--- a/aucoalesce/normalizations.yaml
+++ b/aucoalesce/normalizations.yaml
@@ -548,6 +548,15 @@ normalizations:
     ecs:
       <<: *ecs-process
       type: change
+  - action: end
+    object:
+      what: process
+    how: syscall
+    syscalls:
+      # exit_group - exit all threads in a process
+      - exit_group
+    ecs: *ecs-process
+    type: end
 
   # Currently unhandled
   # this list comes from parsing linux man pages at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git
@@ -673,7 +682,6 @@ normalizations:
   # acct - switch process accounting on or off
   # sigsuspend - wait for a signal
   # rt_sigsuspend - wait for a signal
-  # exit_group - exit all threads in a process
   # socket - create an endpoint for communication
   # ioctl_userfaultfd - create a file descriptor for handling page faults in user space
   # sched_get_priority_max - get static priority range