Brute Force / Password Spray on RDS web login

None_of_the_Above

My RDS server is being hit by bad actors trying password spray attacks. Instead of "Wack a Mole" I'm talking over 100 IPs locking out accts. How can I stop this? I've already started creating dynamic botnet but manually adding these in, as well as geo-ip the region.

What I wanted to do is if you hit this site "/RDWeb/Pages/en-US/login.aspx" using a Match object.

Create a rule that if someone hits it 5 times or connects 5 times, Action drop them for 10min.

What are my options?