My question is for a business of around 8000, how many incidents should I be seeing?
I have had this question for many months now. What I have been doing is mainly focusing on reducing false positives and I'm afraid incidents per day has dropped too low. What I have done to try to reassure myself is done a capture search for the day and compare it to the incidents for that day.
On a normal weekday I see about 200-400 incidents. On a weekend I see 200 total. (saturday - sunday)
How i tuned our deployment was I took the canned policies and added or removed words I didnt think were appropriate for our enviornment and generated too much incidents that were actual incidents, but false positives. Now I see about 5-30 false positives a day in a pool of 200-400 incidents.
This is really a per environment question. Your actions you stated above are valid. Creating rules that exclude content based off common triggers isn't a bad practice.
There are other ways to excluse if you are using say a common file by creating a signature from the file (a common document sent to customers that has trigger words).
A more practical question would be if before you placed the exclusions in place were the valid incidents you were generating in the 200-400 range? I realize you generated more false positives before but for the actual incidents were they in this range? If so, I would say you don't have anything to worry about.