Zabbix agents when executing custom scripts as extensions will trigger a lot of T1166_Seuid_and_Setgid rules. Since Zabbix agent usually has a lot of various checks done by custom scripts this should be excluded.

Adding

-F uid!=zabbix

to these rules should be enough (correctly installed agent should have zabbix user) to stop the rules from spamming.

Same filtering should be applied to wazuh/ossec agents. Based on group name "ossec".

Zabbix triggered also rule T1059.006_5, that led into a lot of spam