This detection rule targets file modifications associated with known ransomware activities, specifically observing changes to file extensions commonly utilized in ransomware attacks. By leveraging the Endpoint.Filesystem data model, it identifies alterations in file extensions that match these ransomware patterns. The analysis workflow focuses on Sysmon EventID 11 data to track filesystem activity. The purpose of this rule is to flag potential ransomware behavior that can lead to file encryption, which could substantially impact data accessibility and organizational operations. When multiple files are modified or created with suspicious extensions, this raises an alert for possible malicious activity and requires further investigation to prevent potential data loss or operational disruptions.