Ok, did some tests:
Started with add java.exe as a trusted application around 18:30.
I was surprised I could only see hash and path as option to filter on? So this would mean all java.exe's on all endpoints are currently assumed trusted?
Checked the grap and it did not seem to have any effect. Is there anything else I need to do to push this to the Elastic Agent?
Only recently started playing with Lens. When I do sth similar with TSVB (Max Normalized CPU Usage By Process Name)
It shows the CPU only doing relatively short spikes.
So then I edited the endpoint-01 policy and unchecked File
In the endpoint details, I see:

This was done around 18:48
No change in CPU usage afterwards. But considering I might have misread the Lens graph, maybe this relatively shorter CPU spikes to 24 % are expected after all?
The weird thing is that when I am not using a filter on the endpoint process, the graph does dispaly the drops:
On the same dashboard, after setting a filter:

Grtz
Willem