This detection rule is developed to identify suspicious activities by correlating security alerts with processes that exhibit unusually high CPU utilization on the same host and process ID within a short timeframe. This behavior may suggest the presence of malicious activities such as malware execution, exploit payload operation, cryptomining, or abuse of system resources following an initial compromise. The rule watches for processes that exceed a predefined CPU usage threshold (70%) found within two data sources: system metrics and security alerts. If a process meets these criteria, it triggers an alert that necessitates further investigation into potential malicious behavior. The setup requires the Elastic Agent to collect CPU metrics through the System integration, ensuring effective monitoring of host resources. The rule aids in refining incident response efforts by providing insights into abnormal CPU usage linked with security alerts, thereby enhancing proactive detection capabilities against potential threats.