Auto-archive events matching filter

[jasonish]

Related comment: https://github.com/jasonish/evebox/issues/51#issuecomment-308870202

Provide a way to auto-archive (mute) alerts probably matching a filter. Most likely SID, SID/src-ip, or SID/src-ip/dest-ip as thats the aggregation that EveBox uses.

Events matching this filter will never show up in the evebox and be archived immediately.

Easier done if the EveBox agent is used as events go through the server. Will have to be done periodically or on the fly for logstash/elasticsearch setups.

[torokp]

Would be nice to have this feature "to the other direction" as well, to auto escalate an event based on a filter.

[demospace]

Just adding that the autoarchive would be a great feature for SIDs like 2402000 (Dshield, CINS, etc) which are useful in IPS mode but generate a ton of alerts that don't require investigation/follow up.