This detection rule identifies high frequency of file deletions in a Windows environment by monitoring Sysmon Event Codes 23 (Delete File) and 26 (FileCreateStreamHash). Specifically, it targets files with specific extensions often associated with sensitive data or documents. The detection exploits Sysmon logs to extract deleted filenames alongside their corresponding process names and process IDs. The prevalence of such file deletion patterns may indicate potential ransomware activity, where malicious actors encrypt files and subsequently delete the originals to hinder recovery efforts. If confirmed as malicious, this behavior could result in critical data loss and significant disruption of operations. The rule utilizes a threshold of 100 deletions to trigger alerts, thereby minimizing false positives from legitimate user activity, such as mass deletions of pictures or temporary files.