does anyone know how we can detect the ransomware related activity using osquery for macos or linux . Like identify any spike in file creation, renaming or deletions by a specific user or process.. ofcourse it requires good amount of baselining .. but would like to start with some basic query structure ?