This threat detection rule is designed to identify potential ransomware activity on Linux systems by monitoring file rename events. It specifically looks for a sequence of 100 file extension rename actions performed by a single process within a one-second timeframe. The rationale for this rule is based on typical ransomware behavior, where large volumes of files are encrypted rapidly, resulting in the addition of new extensions to the files. The rule utilizes Elastic's Query Language (EQL) to track these activities within specific directories commonly used for user data and system logs. To function correctly, the rule requires integration with Elastic Defend and mandates the use of the Elastic Agent to gather relevant data. Additionally, the rule is tagged with relevance to endpoint detection, indicating its applicability to monitoring suspicious behaviors on individual endpoints. By incorporating this detection mechanism, organizations can strengthen their defenses against ransomware attacks, enhancing their overall security posture.