The app is designed around SYSCALL events because they're an integral part of auditd, so refining the audit rules to meet your needs is recommended rather than excluding them. If you really need to exclude them, the simplest approach would be to ingest SYSCALL events into a dedicated index, ensure it isn't in the auditd_indicies.csv lookup and disabled the "Update auditd_indicies lookup" scheduled search so the lookup isn't updated. Be sure to also create a local override of the "auditd_events" event type, explicitly specifying the indices you want to be searched instead of index=* (this is used by the data model).
Hi naqviah, could you be more specific about 'disabling' SYSCALL events? Would you like the app to ignore them completely so they don't display in any of the dashboards and don't populate the data model?