SentinelOne Triggering on Elastic-agent.exe?

[MMStandley]

In the last few days SentinelOne has started triggering on Elastic-agent.exe as Ransomware, so it kills it, which basically kills SecurityOnion. I'm trying to find out how wide-spread this is.

[amma-chadstout]

I've found that SentinelOne alerts it to be ransomware, because of the files generated by installing Elastic Agent/Endpoint in the main C:\ drive on Windows systems. For my endpoints, Elastic generates the following hidden files: 'aaAntiRansomElastic-DO-NOT-TOUCH-whatever'. Elastic uses these files to detect file encryption typically associated with ransomware actors, as a FIM for ransomware. SentinelOne could be detecting the 'Ransom' in the filename, and shutting it down.

[InfosecGoon]

Just a note, starting in 2.4.20 Security Onion supports the Elastic Integration for ingesting logs from Sentinel One - that might be an alternative method of getting endpoint telemetry for you. Installing multiple endpoint agents can often lead to conflicts like this.