This detection rule analyzes CPU utilization by shell processes running within Kubernetes worker nodes to identify potential security threats. Leveraging data from the OpenTelemetry Collector, it assesses two key indicators: process.cpu.utilization and process.memory.utilization. By filtering for known shell executables (e.g., sh, bash), this rule is designed to spot unauthorized shell activity that may indicate compromise. High CPU usage by these processes can suggest malicious behavior consistent with attacks aiming for resource control, data exfiltration, or horizontal movement within the cluster. Implementing measures from this detection will require configuring the necessary metrics and ensuring the Splunk Environment is properly integrated with Kubernetes resources.