Possible ransomware activities

Action1: actionname = "Process started" Action2: actionname = "File modified" AND USERNAME = Action1.USERNAME AND HOSTNAME = Action1.HOSTNAME AND PROCESSNAME = Action1.PROCESSNAME | timewindow 15m | groupby HOSTNAME | groupby USERNAME | groupby PROCESSNAME having COUNT >= 15 sequence:Action1 followedby Action2 within 5m select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.timewindow.HOSTNAME,Action2.timewindow.MESSAGE,Action2.timewindow.USERNAME,Action2.timewindow.DOMAIN,Action2.timewindow.OBJECTNAME,Action2.timewindow.PROCESSNAME,Action2.timewindow.ACCESSLIST,Action2.timewindow.FILETYPE