This anomaly-detection rule identifies the creation of a .key file in the root directory of the system drive, a pattern commonly observed in ransomware operations before file encryption. It leverages Sysmon EventID 11 (File Create) data ingested via an EDR-led telemetry stream, mapped to the Endpoint data model (Filesystem) to detect files matching the wildcard *.key created directly in a root path (e.g., C:\, D:\). The query returns contextual metadata including destination path, file path, process path/ GUID/ PID, file name, user, and vendor product, and filters results with a root-directory regex (^[A-Za-z]:\\[^\\]+\.key$). The rule computes firstTime/lastTime CTIM stamps and formats the timestamps for display. An alert (RBA) is raised with a message documenting the key file’s path and destination drive, enabling rapid investigation and containment. The rule includes drilldown queries for per-user and per-destination views and a risk assessment view over the last 7 days, aiding correlation with other risk events. It is tagged for ransomware (MITRE ATT&CK T1486) and uses a risk object for the destination (system) with a risk score of 20 and a threat object on the file_path. References include guidance from CISA (AA22-321a). Known false positives may occur when legitimate/system administration tools create key files in the root directory; filtering against approved applications is recommended. Implementation notes emphasize ingesting comprehensive process context (GUID, name, parent) and full command lines from EDR telemetry, mapping to the Endpoint Processes node, and using the Splunk CIM for field normalization to ensure consistent detection across environments.