This detection rule identifies suspicious uses of the OpenSSL command-line utility, specifically targeting scenarios where multiple files are encrypted in quick succession on a host system. Such activities are commonly associated with ransomware attacks, where adversaries encrypt data rapidly to disrupt availability and potentially extort victims for ransom. The rule utilizes EQL (Event Query Language) to analyze sequences of events by evaluating the execution of OpenSSL commands against certain parameters, allowing detection of patterns indicative of malicious encryption activities. The configuration requires monitoring data from Elastic Defend, integrated into the Elastic Agent, which must be correctly set up to log relevant events. By focusing on specific command-line arguments used in OpenSSL, and filtering out benign cases, this rule aims to accurately catch potential attempts at data encryption by attackers, thereby facilitating timely investigation and response.