This rule is designed to alert on processes that exhibit unusually high CPU usage and are being observed for the first time within the last five days. Such processes may indicate suspicious activities such as cryptomining, execution of malicious payloads, or other forms of resource exploitation following a potential compromise of the host system. It is important to note that this rule may also highlight legitimate processes that unexpectedly cause performance degradation. The alert triggers based on the collection of system metrics via the Elastic Agent, specifically monitoring for processes utilizing over 90% CPU. The ESQL query evaluates CPU usage trends and identifies newly observed processes that meet these criteria, focusing on unique hosts to reduce noise. The rule also provides a comprehensive guide for setup and validation, outlining prerequisites for the Elastic Agent and necessary configurations. Additionally, it offers investigation tips, such as examining the process name, command line, and associated parent processes, while outlining potential false positives such as benign high-CPU processes.