$log_file = "c:\install\rdp_dyn_ban.txt"
$ban_treshold = 5
$ban_duration = 24
$ip2ban = @()
$ip2ban_str = @()
$ban_date_str=get-date -f ddMMyyyy_HHmmss

$evt140 = Get-WinEvent -ProviderName Microsoft-Windows-RemoteDesktopServices-RdpCoreTS|?{$_.id -eq 140}
"--- Get-WinEvent $ban_date_str" >> $log_file
$ip2ban = $evt140.properties.value|Group-Object|?{$_.count -ge $ban_treshold}|select name,count
$ip2ban|%{ "#block_ip "+$_.name+" "+$_.count >> $log_file }

if($ip2ban.count -gt 0){
  get-winevent -ListLog Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational| % { [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName) }
  $ip2ban|%{$ip2ban_str+=$_.name.tostring()}
  New-NetFirewallRule -DisplayName "RDP_DYN_BAN_$ban_date_str" -Enabled "True" -Profile Any -Direction Inbound -Action Block -RemoteAddress $ip2ban_str -Protocol TCP
  "--- New-NetFirewallRule RDP_DYN_BAN_$ban_date_str" >> $log_file
}

$current_frs = Get-NetFirewallRule -DisplayName RDP_DYN_BAN*
$current_frs|%{
  $date_frs=[datetime]::parseexact($_.displayname, 'RDP_DYN_BAN_ddMMyyyy_HHmmss',$null)
  if( ((get-date) - $date_frs).totalhours -ge $ban_duration ){ 
    "--- Remove-NetFirewallRule -Displayname "+$_.displayname  >> $log_file
    $_|Remove-NetFirewallRule -Confirm:$false
  }
}