This rule detects potential ransomware activities by identifying suspicious file rename operations following an incoming SMB connection. The rule scopes all incoming SMB network events targeting Windows operating systems. It utilizes the EQL (Event Query Language) to specify a sequence of events: 1) An accepted network connection on port 445 from a non-local source to a Windows host, followed by 2) a file rename action performed by a process, ensuring that the renamed files exhibit high entropy (indicating possible obfuscation) and do not belong to common file types (images, documents, etc.) potentially indicating malicious intent. The risk score is set at 73, categorizing it as high severity. Investigations should include examining the source IP, user account involved, and recent activity linked to the user or host.