Newly Observed Process Exhibiting High CPU Usage

  1[metadata]
  2creation_date = "2026/01/27"
  3maturity = "production"
  4updated_date = "2026/01/27"
  5
  6[rule]
  7author = ["Elastic"]
  8description = """
  9This rule alerts on processes exhibiting high CPU usage and that are observed for the first time in the previous 5 days.
 10A previously unseen process consuming sustained CPU resources may indicate suspicious activity such as cryptomining,
 11exploit payload execution, or other forms of resource abuse following host compromise. In some cases, this may also
 12surface legitimate but unexpected software causing performance degradation.
 13"""
 14from = "now-7205m"
 15interval = "5m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "Newly Observed Process Exhibiting High CPU Usage"
 19setup = """## Setup
 20
 21This rule requires host CPU metrics collected via the Elastic Agent **System** integration.
 22
 23### System Metrics Integration Setup
 24The System integration collects host-level metrics such as CPU usage, load, memory, and process statistics and sends them to Elasticsearch using Elastic Agent.
 25
 26#### Prerequisite Requirements:
 27- Elastic Agent managed by Fleet
 28- A Fleet Server configured and reachable
 29  Refer to the Fleet Server setup guide:
 30  https://www.elastic.co/guide/en/fleet/current/fleet-server.html
 31
 32#### The following steps should be executed in order to enable CPU metrics collection:
 33- Go to the Kibana home page and click **Add integrations**.
 34- In the search bar, enter **System** and select the **System** integration.
 35- Click **Add System**.
 36- Configure an integration name and optionally add a description.
 37- Under **Metrics**, ensure the following datasets are enabled:
 38  - `system.cpu`
 39  - `system.load` (optional but recommended)
 40  - `system.process` (optional, if process-level CPU is required)
 41- Review optional and advanced settings as needed.
 42- Add the integration to an existing agent policy or create a new agent policy.
 43- Deploy the Elastic Agent to the hosts from which CPU metrics should be collected.
 44- Click **Save and Continue** to finalize the setup.
 45
 46#### Validation
 47After deployment, verify CPU metrics ingestion by confirming the presence of documents in:
 48- `metrics-system.cpu-*`
 49- `metrics-system.load-*` (if enabled)
 50
 51For more details on the System integration and available metrics, refer to the documentation:
 52https://docs.elastic.co/integrations/system
 53"""
 54risk_score = 73
 55rule_id = "f9de0949-94d8-441d-ae9a-8eb1e040acf2"
 56severity = "high"
 57tags = [
 58    "Use Case: Threat Detection",
 59    "Use Case: Observavility",
 60    "Resources: Investigation Guide",
 61    "Domain: Endpoint",
 62    "Tactic: Impact"
 63]
 64timestamp_override = "event.ingested"
 65type = "esql"
 66
 67query = '''
 68FROM metrics-*
 69// more than 90% CPU use
 70| WHERE system.process.cpu.total.norm.pct >= 0.9 and process.name is not null
 71| STATS Esql.total_count = count(*),
 72        Esql.first_time_seen = MIN(@timestamp),
 73        Esql.agent_id_values = COUNT_DISTINCT(agent.id),
 74        Esql.system_process_cpu_total_norm_pct_values = MAX(system.process.cpu.total.norm.pct),
 75        Esql.process_command_line_values = VALUES(process.command_line),
 76        Esql.host_id_values = values(host.id), 
 77        Esql.user_name_values = VALUES(user.name) by process.name
 78| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
 79// first time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique hostg
 80| where Esql.recent <= 6 and Esql.agent_id_values == 1
 81// populate fields for rule exception
 82| eval host.id = MV_FIRST(Esql.host_id_values), 
 83       process.command_line = MV_FIRST(Esql.process_command_line_values)
 84| keep host.id, process.name, process.command_line, Esql.*
 85'''
 86note = """## Triage and analysis
 87
 88### Investigating Newly Observed Process Exhibiting High CPU Usage
 89
 90This rule alerts on processes exhibiting high CPU usage and that are observed for the first time in the previous 5 days.
 91
 92### Possible investigation steps
 93- Examine the process name, command line, and SHA-256 hash to determine whether the process is expected or known to be malicious.
 94- Validate the observed CPU usage and duration to determine whether the spike is abnormal for this process and host.
 95- Check for related process activity such as parent/child processes, suspicious process spawning, or privilege escalation attempts.
 96- Review additional host telemetry including:
 97  - Network connections initiated by the process
 98  - File creation or modification events
 99  - Persistence mechanisms (services, scheduled tasks, registry keys)
100- Determine whether similar activity is observed on other hosts, which may indicate a broader compromise.
101
102### False positive analysis
103- Legitimate high-CPU processes such as software updates, backup agents, security scans, or system maintenance tasks.
104- Resource-intensive but benign applications (e.g., compilers, video encoding, data processing jobs).
105- Security tools or monitoring agents temporarily consuming high CPU.
106
107### Related Rules
108
109- Detection Alert on a Process Exhibiting CPU Spike - df9c0e92-5dee-4f1d-a760-3a5c039e4382
110- Multiple Alerts on a Host Exhibiting CPU Spike - b7f77c3c-1bcb-4afc-9ace-49357007947b
111
112### Response and remediation
113- If malicious activity is confirmed, isolate the affected host to prevent further impact.
114- Terminate the offending process if safe to do so.
115- Remove any identified malicious binaries or artifacts and eliminate persistence mechanisms.
116- Apply relevant patches or configuration changes to remediate the root cause.
117- Monitor the environment for recurrence of similar high-CPU processes combined with security alerts.
118- Escalate the incident if multiple hosts or indicators suggest coordinated or widespread activity."""
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1496"
124name = "Resource Hijacking"
125reference = "https://attack.mitre.org/techniques/T1496/"
126[[rule.threat.technique.subtechnique]]
127id = "T1496.001"
128name = "Compute Hijacking"
129reference = "https://attack.mitre.org/techniques/T1496/001/"
130
131
132[rule.threat.tactic]
133id = "TA0040"
134name = "Impact"
135reference = "https://attack.mitre.org/tactics/TA0040/"