This detection rule focuses on identifying hosts experiencing unusual CPU spikes while generating multiple high-severity security alerts. Such behavior may indicate potential malicious activities, including malware execution, cryptomining, execution of exploit payloads, or the abuse of system resources following an initial compromise. The rule uses an ESQL query that analyzes metrics from security alerts alongside CPU usage data to determine when hosts have shown both high CPU utilization (over 90% in this case) and triggered three or more unique high-severity alerts. The setup requires host CPU metrics being collected via the Elastic Agent's System integration, which provides the necessary data for the rule to function effectively. Validation steps ensure that CPU metrics are being ingested as expected, and a thorough investigation process is laid out for security analysts to follow upon alert generation. Overall, this rule is crucial for flagging potential threats that could lead to significant impacts on the organization’s systems.