You may have solved this issue already but here are a few pointers that may help:
This is something that we have looked at as well and have little success in finding where these settings are saved. Like you we looked into the settings folder and backed up the XML files but as you say they don't work.
You say that you have to dig through thousands of alerts?
Surely if you are swamped in alerts then investigating them and finding out which are false positives due to normal network traffic would be the best way forward?
If you have a policy on your devices that encompasses the "All inclusive with audit" rule set then this is a must!
A quicker way to "filter" the events though if tuning is not an option, is to right click on an event that you do not wish to see and select the "hide" option. This will filter the view and present you with the view minus the hidden alert.
Alternatively, try the "group by" option on the top right of the TA and sort them by attack name, Source IP etc...
Hope this helps...