please be aware that AMP "potential ransomware" email notifications does NOT work properly.
We've tested it with the most obvious wannacry samples. Threat was detected as ransomware and quarantined but notifications are not send. We've opened TAC, and are awaiting, but as these takes for the networking company weeks to solve it, update your detection procedures.
when using subscription to specific event types in AMP console. That event type must be triggered. Though you may have tested with wanna cry, the detection may have come across our system as flagged via a simple threat detection on one of our detection engines. The events that can be flagged under Potential Ransomeware are pieces of possible malware that have not been flagged in our database as definitively bad but express behaviors and indicators that could be linked to newer pieces of malicious software. Thank you for your input and we shall use it to better the functionality of our filters in the future.