We know Defender will lockout multiple login failures for some number of seconds. Is there a second tier? .... After more than N such lockouts an IP address will get a permanent ban? If not, I request this enhancement. (Sure, and move this enquiry to Feature Requests only if there is no other suggestion.)
For now, if there is a hook for when an IP is temporarily locked, then we should be able to count events ourselves and then add the IP to the ban list. If that's the best solution then I can do this, but I'm really hoping a staff member will post the small function required to do this.
And if the hook/functions are not available to do that (lockout event and add IP to blacklist/whitelist) then please add this as a request for these features.