I've put together this powershell function to basically pull events from the NPS log (Specifically denied authentication attempts) from the last point the script was run (the $date variable), sort out the IP and date the log entry was written on and add it to an array ($array) and export it to a CSV log.

Then I use the same array ($array) to sort logs from the last hour, see if 10 or more exist and move any that meet that criteria to a new array ($getip). (Sort of like a fail2ban setup but for windows)

Everything works except at the end of the function there is the line I am using the sort and count the records, I counts fine but it will not actually drop the records that are after 1 hour.

Can anyone see anything I am missing? I appreciate any help.

function Get-DeniedIP {
$denied = 'C:\bin\denied.csv' #CSV log of IP's that have been linked to denied auth attempts
$whitelist = Import-Csv 'C:\bin\whitelist.csv' #Location of whitelist csv
$datepath = 'C:\bin\cache' #If it does not exist that is fine
$bannedip = 'C:\bin\banned.csv' #CSV log of IP's that have reached the max failed auth and are banned
$check = [System.IO.File]::Exists($datepath)
if ($check -like '*False*') {
    (get-date).ToString() | Out-File $datepath
    $date = Get-Date
else {
    $date = Get-Content $datepath
    $date = Get-Date -Date $date
$log = Get-EventLog -LogName Security -Message "*Network Policy Server denied*" -After $date
$array = @()
foreach ($message in $log) {
    $address = ($message.message |  Select-String -Pattern "Calling Station Identifier:\s*\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
    $address = ($address |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
    $object = New-Object -TypeName PSObject
    $object | Add-Member -Name 'IP' -MemberType Noteproperty -Value $address
    $object | Add-Member -Name 'Date' -MemberType NoteProperty -Value $message.TimeWritten
    $array += $object
$final = $array | where {$whitelist.IP -notcontains $_.IP}
if ($final -eq $null) {}
else {$final | Export-Csv $denied -Append}

$DT = [DateTime]::Now.AddHours(-1)
$getip = $array | group-object -property IP  | where {$_.Count -gt 10 -and 

$array.Date -ge $DT} | Select -Property Name | Export-Csv $bannedip -Append


$DT = [DateTime]::Now.AddHours(-1) contains the full date and time, I would suggest removing everything except the time, as that may prevent the script from matching logs based on the time.

