Userworlds like the NSX Distributed IDS/IPS do not reserve CPU resources except for a tiny percentage of a single core. The multi-threaded Distributed IDS/IPS engine spins up 5 worker threads. If sufficient CPU resources are available, these threads will be spread across distinct cores. As a result, at maximum IDS/IPS can use the resources of 5 cores.
The thresholds for IDS/IPS CPU utilization used by the Alarm Framework are set to 75%, 85% and 95%, which reflect the usage percentage of only a single CPU. Depending on the number of cores used by the Distributed IDS/IPS engine, the actual CPU usage can go up to 500 % (5 cores x 100% utilization), hence exceeding the thresholds set by the alarm framework. In most cases, this is not a reason for concern.