If you're going to the effort of extracting detailed audit information from a system and then having to decide whether each audit event is relevant or not, why not just write seccomp-bpf filters and landlock rulesets to restrict what each process can do in the first place? And/or as a simpler option, implement sandboxing of Systemd units with easy-to-use configuration of file system access restrictions, system call filtering, resource control, etc.