The Analytic->Alerts page allows you to set alerts of "Total Egress", "Queue Injection" and "Ransomware Detection" for Audit enabled shares.
This can be used to understand unexpected egress charges. You can specify 0.2TB or 1.5TB for example.
This can be used to detect unexpected bulk operations, including ransomware. Please note this is different from file counts. Copying a file may create several events. Some applications create many events while accessing a file.
Detect file write/rename operation to specific file name patterns. If a match is detected, then the system will send an alert email. This detection is far from perfect, however, as it is designed to detect known ransomware with certain file extensions.
You can also enable "Shutdown immediately" to shut down the device upon detecting matching file extensions.