File Activity and Ransomware

Does anyone have a custom rule to detect mass file modification on a file server?

Can’t you accomplish that with a change detection rule based of a saved log query?