This detection rule identifies ransomware events using Elastic Endgame as the data source. The rule leverages KQL to filter relevant alerts from the Elastic Endgame dataset, particularly those marked as ransomware-related actions. Given its critical severity and high risk score, timely investigation is paramount upon detection. It captures alerts continuously, generating a high number of alerts per run when configured appropriately. This rule is crucial for monitoring suspicious activity indicative of ransomware attacks, providing guidance on investigating potential incidents effectively and mitigating false positives. Steps included in the rule for investigation range from analyzing alert details to conducting forensics, thus ensuring swift response to ransomware threats.