in Defender > Audit Logging > Event Logs > Event Summary
there are messages like: "User login fail. Username: domain.tld"
Please add additional information when IP is banned.
So it will looks like: "User login fail. Username: domain.tld IP banned."
Audit Logging is great to find new usernames which attackers use to log to your website. So you can add it to "Defender > Login Protection > Automatically Banned Usernames".
But when "IP banned" is not mentioned in Event Summary, in thousands of events, it is hard to find new usernames to ban.