From 52adb7187f6dc7d09ee1ed30f274dbf7a3343572 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 27 Feb 2026 08:56:27 +0000
Subject: [PATCH] Update impact_alerts_on_host_with_cpu_spike.toml (#5789)

---
 .../impact_alerts_on_host_with_cpu_spike.toml               | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml b/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml
index 7c983d6b8..a62746b85 100644
--- a/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml
+++ b/rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2026/01/26"
 maturity = "production"
-updated_date = "2026/02/16"
+updated_date = "2026/02/26"
 
 [rule]
 author = ["Elastic"]
@@ -81,6 +81,7 @@ FROM metrics-*, .alerts-security.*  METADATA _index
         process_path = VALUES(process.executable),
         parent_process_path = VALUES(process.parent.executable),
         user_name = VALUES(user.name),
+        host_name = VALUES(host.name),
         cmdline = VALUES(process.command_line) by host.id
 // at least 3 unique high severity alerts and from a host with 90% CPU use
 | where host_with_cpu_spike > 0 and host_with_alerts > 0 and Esql.unique_alerts_count >= 3
@@ -88,8 +89,9 @@ FROM metrics-*, .alerts-security.*  METADATA _index
        process.executable = MV_FIRST(process_path),
        process.parent.executable = MV_FIRST(parent_process_path),
        process.command_line = MV_FIRST(cmdline),
+       host.name = MV_FIRST(host_name),
        user.name = MV_FIRST(user_name)
-| KEEP user.name, host.id, process.*, Esql.*
+| KEEP user.name, host.name, host.id, process.*, Esql.*
 '''
 note = """## Triage and analysis