SOP-02: Brute Force & Credential Stuffing Response

Analyst playbook for brute force and credential stuffing alerts. Covers spray vs brute classification via KQL, success-after-failure compromise detection, Entra ID Named Locations IP block, and Identity Protection risky user actions.