Multiple Alerts on a Host Exhibiting CPU Spike

  1[metadata]
  2creation_date = "2026/01/26"
  3maturity = "production"
  4updated_date = "2026/02/26"
  5
  6[rule]
  7author = ["Elastic"]
  8description = """
  9This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window.
 10This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution,
 11or abuse of system resources following initial compromise.
 12"""
 13from = "now-9m"
 14interval = "5m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "Multiple Alerts on a Host Exhibiting CPU Spike"
 18setup = """## Setup
 19
 20This rule requires host CPU metrics collected via the Elastic Agent **System** integration.
 21
 22### System Metrics Integration Setup
 23The System integration collects host-level metrics such as CPU usage, load, memory, and process statistics and sends them to Elasticsearch using Elastic Agent.
 24
 25#### Prerequisite Requirements:
 26- Elastic Agent managed by Fleet
 27- A Fleet Server configured and reachable
 28  Refer to the Fleet Server setup guide:
 29  https://www.elastic.co/guide/en/fleet/current/fleet-server.html
 30
 31#### The following steps should be executed in order to enable CPU metrics collection:
 32- Go to the Kibana home page and click **Add integrations**.
 33- In the search bar, enter **System** and select the **System** integration.
 34- Click **Add System**.
 35- Configure an integration name and optionally add a description.
 36- Under **Metrics**, ensure the following datasets are enabled:
 37  - `system.cpu`
 38  - `system.load` (optional but recommended)
 39  - `system.process` (optional, if process-level CPU is required)
 40- Review optional and advanced settings as needed.
 41- Add the integration to an existing agent policy or create a new agent policy.
 42- Deploy the Elastic Agent to the hosts from which CPU metrics should be collected.
 43- Click **Save and Continue** to finalize the setup.
 44
 45#### Validation
 46After deployment, verify CPU metrics ingestion by confirming the presence of documents in:
 47- `metrics-system.cpu-*`
 48- `metrics-system.load-*` (if enabled)
 49
 50For more details on the System integration and available metrics, refer to the documentation:
 51https://docs.elastic.co/integrations/system
 52"""
 53risk_score = 99
 54rule_id = "b7f77c3c-1bcb-4afc-9ace-49357007947b"
 55severity = "critical"
 56tags = [
 57    "Use Case: Threat Detection",
 58    "Rule Type: Higher-Order Rule",
 59    "Resources: Investigation Guide",
 60    "Domain: Endpoint",
 61    "Tactic: Impact"
 62]
 63timestamp_override = "event.ingested"
 64type = "esql"
 65
 66query = '''
 67FROM metrics-*, .alerts-security.*  METADATA _index
 68| where not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
 69| eval
 70       // hosts with more than 90% total CPU use
 71       cpu_metrics_host_ids = CASE(_index like ".ds-metrics-system.cpu-*" and system.cpu.total.norm.pct >= 0.9, host.id, null),
 72       // hosts with high severity security alerts
 73       alerts_host_ids = CASE(_index like ".internal.alerts-security.*" and kibana.alert.rule.name is not null and host.id is not null and kibana.alert.risk_score >= 73, host.id, null)
 74| stats host_with_cpu_spike = COUNT_DISTINCT(cpu_metrics_host_ids),
 75        host_with_alerts = COUNT_DISTINCT(alerts_host_ids),
 76        Esql.max_cpu_pct = MAX(system.cpu.total.norm.pct),
 77        Esql.unique_alerts_count = COUNT_DISTINCT(kibana.alert.rule.name),
 78        Esql.unique_process_count = COUNT_DISTINCT(process.entity_id),
 79        Esql.alerts = VALUES(kibana.alert.rule.name),
 80        Esql.process_hash_sha256 = VALUES(process.hash.sha256),
 81        process_path = VALUES(process.executable),
 82        parent_process_path = VALUES(process.parent.executable),
 83        user_name = VALUES(user.name),
 84        host_name = VALUES(host.name),
 85        cmdline = VALUES(process.command_line) by host.id
 86// at least 3 unique high severity alerts and from a host with 90% CPU use
 87| where host_with_cpu_spike > 0 and host_with_alerts > 0 and Esql.unique_alerts_count >= 3
 88| eval process.hash.sha256 = MV_FIRST(Esql.process_hash_sha256),
 89       process.executable = MV_FIRST(process_path),
 90       process.parent.executable = MV_FIRST(parent_process_path),
 91       process.command_line = MV_FIRST(cmdline),
 92       host.name = MV_FIRST(host_name),
 93       user.name = MV_FIRST(user_name)
 94| KEEP user.name, host.name, host.id, process.*, Esql.*
 95'''
 96note = """## Triage and analysis
 97
 98### Investigating Multiple Alerts on a Host Exhibiting CPU Spike
 99
100This rule identifies hosts that both triggered multiple security alerts and exhibited unusually high CPU utilization on the
101within a short time window. This combination may indicate malicious execution, resource abuse, or post-compromise activity.
102
103### Possible investigation steps
104- Review the correlated alert(s) to understand why the host was flagged by the detection alerts.
105- Examine the involved process name, command line, and SHA-256 hash to determine whether those processes are expected or known to be malicious.
106- Validate the observed CPU usage and duration to determine whether the spike is abnormal for this process and host.
107- Check for related process activity such as parent/child processes, suspicious process spawning, or privilege escalation attempts.
108- Review additional host telemetry including:
109  - Network connections initiated by the process
110  - File creation or modification events
111  - Persistence mechanisms (services, scheduled tasks, registry keys)
112- Determine whether similar activity is observed on other hosts, which may indicate a broader compromise.
113
114### False positive analysis
115- Legitimate high-CPU processes such as software updates, backup agents, security scans, or system maintenance tasks.
116- Resource-intensive but benign applications (e.g., compilers, video encoding, data processing jobs).
117- Security tools or monitoring agents temporarily consuming high CPU.
118
119### Response and remediation
120- If malicious activity is confirmed, isolate the affected host to prevent further impact.
121- Terminate the offending process if safe to do so.
122- Remove any identified malicious binaries or artifacts and eliminate persistence mechanisms.
123- Apply relevant patches or configuration changes to remediate the root cause.
124- Monitor the environment for recurrence of similar high-CPU processes combined with security alerts.
125- Escalate the incident if multiple hosts or indicators suggest coordinated or widespread activity."""
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129
130[rule.threat.tactic]
131id = "TA0040"
132name = "Impact"
133reference = "https://attack.mitre.org/tactics/TA0040/"