We have a couple clients that due to their network configuration are receiving a ton of Brute Force alarms to the point where it has become nearly impossible to manage our alarm queue. While IT has been working on a fix on their end I've been trying to suppress these alarms with a directive that will only fire on a successful login however afters hours of making new directives and testing in our lab I just can't seem to get anything to work.
I'm using Hydra to test RDP and SMB brute forces with a long password list that I have included the proper password in at different stages, however HIDS is 1. Not picking up the successful logins and 2. Not even firing off brute force passwords until I tune the Timeout and Occurences low.
My question is, has anyone made directives like this before that can offer any guidance? Thanks!