Thanks. I've whitelisted it. I'll submit to support. I think the difference with the newer version flagging it is SPN ticket requests are higher.

Triggers are -

Ransomware

Deletes shadow copy
MITRE : Impact [T1490]
Evasion

Non-powershell process loaded powershell module
MITRE : Execution [T1059.001]
A new root certificate was added
MITRE : Defense Evasion [T1553.004]
Indirect command was executed
MITRE : Defense Evasion [T1218][T1202]
Privilege Escalation

Suspicious Kerberoasting attack. Too many SPN tickets requests
MITRE : Credential Access [T1558.003]
Persistence

Application registered itself to become persistent via service
MITRE : Privilege Escalation [T1543.003]
MITRE : Persistence [T1543.003]