You may have solved this issue already but here are a few pointers that may help:
This is something that we have looked at as well and have little success in finding where these settings are saved. Like you we looked into the settings folder and backed up the XML files but as you say they don't work.
You say that you have to dig through thousands of alerts?
Surely if you are swamped in alerts then investigating them and finding out which are false positives due to normal network traffic would be the best way forward?
If you have a policy on your devices that encompasses the "All inclusive with audit" rule set then this is a must!
A quicker way to "filter" the events though if tuning is not an option, is to right click on an event that you do not wish to see and select the "hide" option. This will filter the view and present you with the view minus the hidden alert.
Alternatively, try the "group by" option on the top right of the TA and sort them by attack name, Source IP etc...
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.