Hi Roman. Sounds like you' re doing something similar to what I want to be able to do.
Each day, I see numerous (as in 1000' s) of invalid login attempts on my network through our RemotApp web interface. This is just for staff, not for the public at large. I see this in the security log of the target machine. There are usually a dozen or so IP addresses that these come from each day. I have been noting the IP that the requests are coming from and then I add to policy rule which blocks incoming and outgoing traffic to that IP. This works but requires manual review, and only occurs after the attempts have been running for a while (I have an alert set up on the event log for when an account is locked out from too many invalid login attempts). I know this is not a good way to do this but don' t know how to do it any other way.
Do you see a way to accomplish this? I figure if an IP address is attempting to log in and are unsuccessful after XX attempts, I am OK to permanently block that IP. If it turns out to be a valid user then they can advise me and I' ll remove that one, but at least I won' t have to manually go through the logs after the fact, and the attempts will be halted before they' ve had many attempts.