We are reviewing a number of SIEM solutions that include log analysis out of the box. From the off we have noticed that a number of alerts are being generated off the back of actions being performed by our monitoring tools.
For example, we use PRTG to monitor SSH and other metrics from the same session. Ultimately this is adding entries into the audit table which gets picked up by SIEM.
The thought is that we simply exclude events that are based on this specific user and while we now how to do that, I was looking for a sanity check on doing so. The user itself has no sudo rights and is unprivileged as it can be, but is masking the actions of this user still a good idea.
The net outcome is that we will likely remove 2-3k events that are related and leave the remaining as candidates for review. As the actual login number outside are monitoring, we are likely to spot any slight rise in events as a problem for review, this will be a lot easier to do if we remove the noise.
Any other suggestions as to an approach are welcome.