Tanium

I put that sh** on everything. Does anyone dream a way to monitor a process associated with crypto. I know there’s cipher in windows but what other processes “do” the encryption. Would it just look like a Java process or something? I wanna be able to alert on like “oh endpoint A just modified 59% of its data let’s do something like uninstall the nic drivers. I mean I get crypto attacks are highly sophisticated but what’s some noticed indicators we know of and how could tanium be used to alert on those indicators, (presence of files with suspecious name/ extensions, lots of file renames, specific process involved in the encryption (if not just “powershell.exe” etc,)