Telegraf agent opening & closing "su" sessions in Linux machines

We are using Telegraf in our production servers (Linux & Windows OS) to collect metrics and send them to InfluxDB.
We are also monitoring our production servers for security breaches or any other suspicious activity.

We encountered a security issue in which the Telegraf user opened & closed an “su” session in a production server.
Is this behavior normal ? Why would the Telegraf user open & close these kind of sessions ?

More information would be grateful & helpful.

There are some input plugins that use sudo, dmcache and iptables come to mind but there might be others.