Https://academy.hackthebox.com/module/233/section/2566

Modify the action-related part of the Splunk search of this section that detects excessive file overwrites so that it detects ransomware that delete the original files instead of overwriting them. Run this search against the “ransomware_excessive_delete_aleta” index and the “bro:smb_files:json” sourcetype. Enter the value of the “count” field as your answer. index=“ransomware_excessive_delete_aleta” sourcetype=“bro:smb_files:json”
| where action IN (“SMB::FILE_OPEN”, “SMB::FILE_DELETE”)
| bin _time span=5m
| stats count by _time, source, action
| where count>30
| stats sum(count) as count values(action) dc(action) as uniq_actions by _time, source
| where uniq_actions==2 AND count>100