from logs-endpoint.events.file-* metadata _id, _version, _index
// filter for file creation event done remotely over SMB with common user readable file types used to place ransomware notes
| where event.category == "file" and host.os.type == "windows" and event.action == "creation" and process.pid == 4 and user.id != "S-1-5-18" and
file.extension in ("txt", "htm", "html", "hta", "pdf", "jpg", "bmp", "png", "pdf")
// truncate the timestamp to a 60-second window
| eval Esql.time_window_date_trunc = date_trunc(60 seconds, @timestamp)
| keep file.path, file.name, process.entity_id, Esql.time_window_date_trunc
// filter for same file name dropped in at least 3 unique paths by the System virtual process
| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path), Esql.file_path_values = VALUES(file.path) by process.entity_id , file.name, Esql.time_window_date_trunc
| where Esql.file_path_count_distinct >= 3
Install detection rules in Elastic Security
Detect Potential Ransomware Behavior - Note Files by System in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).