This rule is designed to detect suspicious activity in AWS S3 buckets where files resembling ransomware notes are uploaded. Attackers typically use specific filenames such as HOW_TO_DECRYPT_FILES.txt or RANSOM_NOTE.txt to communicate ransom demands to victims following a ransomware attack. The rule monitors AWS CloudTrail logs for PUT object events in S3, focusing on files that match common ransomware note patterns. Upon detection, the rule triggers a query of CloudTrail logs for related activity, facilitating a deeper investigation into potential unauthorized access or malicious uploads. This includes examining previous S3 API calls and checking user behaviors to identify any anomalies or coordinated attack patterns.