This detection rule targets the bulk creation of ransomware notes, which are typically files with extensions such as .txt, .html, or .hta commonly used by ransomware attackers to inform victims about file encryption. It utilizes Sysmon EventCode 11 to track the creation of these specific file types within a tight time window (10 seconds). The detection logic looks for at least 15 instances of these files being created, indicating potentially malicious activity related to active ransomware infections. A significant frequency and concentration of these files being created can suggest that the system is under attack, posing a serious threat to data availability and operational continuity. The rule can help organizations proactively detect ransomware activities and trigger investigations to mitigate potential damage.