Received a response from technical support:
Events of the Audit Detailed File Share and Audit Removable Storage categories were found in the Security log
. These policies audit access to all files and folders with shared access (regardless of the settings of SACL lists, described in more detail here. technet.microsoft .com/en-us/library/dn319118.aspx), so the folder settings you specify do not affect the number of events.
In order to remove these events, you need to turn off advisory policies - either from Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access, or completely disable the standard Audit Object Access policy (Security Settings -> Local Policies -> Audit Policy), and configure via Advanced.
Note: You can view the enabled policies through the auditpol /get /category:"Object Access" command.
Netwrix Auditor requires other advanced audit policies. You need to do the following on the servers you want to track changes to:
• Run secpol.msc and go to Security Settings -> Local Policies -> Security Options and set the Audit: Force audit policy subcategory settings (Windows Vista or later) to Enabled.
• Go to Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access and enable the following subcategories: Audit File System and Audit Handle Manipulation.
• Update the group policies through the gpupdate /force command at the command line.
For more information on configuring them through Local Policies or Group Policies, you can refer to our article www.netwrix.com/kb/1266
And it helped.
Thanks for the prompt help!

Hello!
Have you contacted our technical support?
Write to [email protected] or [email protected] (two addresses at once).
Engineers will quickly help you figure it out :)