Elastic Security Detection Rules

Newly Observed Process Exhibiting High CPU Usage

Last updated 7 days ago on 2026-01-27
Created 7 days ago on 2026-01-27

About

This rule alerts on processes exhibiting high CPU usage and that are observed for the first time in the previous 5 days. A previously unseen process consuming sustained CPU resources may indicate suspicious activity such as cryptomining, exploit payload execution, or other forms of resource abuse following host compromise. In some cases, this may also surface legitimate but unexpected software causing performance degradation.
Tags
Use Case: Threat DetectionUse Case: ObservavilityDomain: EndpointTactic: ImpactLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

Resource Hijacking (T1496)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(external, opens in a new tab or window)

Query
text code block:
FROM metrics-*
// more than 90% CPU use
| WHERE system.process.cpu.total.norm.pct >= 0.9 and process.name is not null
| STATS Esql.total_count = count(*),
        Esql.first_time_seen = MIN(@timestamp),
        Esql.agent_id_values = COUNT_DISTINCT(agent.id),
        Esql.system_process_cpu_total_norm_pct_values = MAX(system.process.cpu.total.norm.pct),
        Esql.process_command_line_values = VALUES(process.command_line),
        Esql.host_id_values = values(host.id), 
        Esql.user_name_values = VALUES(user.name) by process.name
| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
// first time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique hostg
| where Esql.recent <= 6 and Esql.agent_id_values == 1
// populate fields for rule exception
| eval host.id = MV_FIRST(Esql.host_id_values), 
       process.command_line = MV_FIRST(Esql.process_command_line_values)
| keep host.id, process.name, process.command_line, Esql.*

Install detection rules in Elastic Security

Detect Newly Observed Process Exhibiting High CPU Usage in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).