Solution is here

https://www.alienvault.com/forums/discussion/1211/sonicwall-ossim-how

File to edit is /etc/ossim/agent/plugins/sonicwall.cfg

add “exclude_sid=” (without quotes) to the sonicwall plugin config and add the SID’s that you don’t want to appear in alienvault. It will nuke them at the agent level. Comma seperated please with no spaces between (ex. exclude_sid=8698251,8699283) you can find the SID number in question by opening the event in the SIEM that you don’t want to keep and looking for (you guessed it) “Event Type ID”

hmm but It doesn’t seem to be filtering yet…. will have to keep stabbing