BitLyft Air: Duo Security
Overview
The BitLyft AIR Duo Security integration provides identity threat detection, investigation, and automated response capabilities for organizations using Duo Security for multi-factor authentication (MFA). By ingesting Duo authentication and administrative activity logs, BitLyft AIR enables security teams to detect MFA abuse, monitor administrative actions, and respond quickly to identity-related threats.
This integration helps organizations identify compromised identities, detect MFA fatigue attacks, monitor administrative privilege changes, and track policy modifications that could weaken MFA protections.
Core Capabilities
Identity Threat Detection
The Duo integration includes detection policies designed to identify suspicious authentication behavior, compromised user accounts, and risky administrative or configuration changes within the Duo environment.
These detections help security teams identify identity-based threats that target MFA infrastructure and authentication workflows.
MFA Abuse and Authentication Attacks
Multi-factor authentication is frequently targeted by attackers attempting to bypass identity protections. The Duo integration monitors authentication activity to detect patterns associated with MFA abuse and credential compromise.
Example detections include:
-
Activity by disabled Duo users
-
Abnormal numbers of failed authentication attempts
-
Push flood or MFA fatigue attacks
These detections help identify attempts to overwhelm users with push notifications, brute-force authentication attempts, or suspicious login activity associated with compromised accounts.
Privilege Escalation and Administrative Activity Monitoring
Administrative accounts represent high-value targets in identity systems. The Duo integration monitors administrative role assignments and behavior to identify potential privilege escalation or misuse.
Example detections include:
-
Potential administrative impersonation activity
-
Administrative role granted to a user
-
Administrative role removed from a user
These policies help detect unauthorized privilege changes, compromised administrator accounts, or attempts to manipulate administrative access.
Identity and MFA Configuration Monitoring
Changes to authentication policies and system configurations can weaken MFA protections or introduce security gaps. The Duo integration monitors configuration changes that affect MFA enforcement and access control.
Example detections include:
-
Abnormal number of users disabled or deleted
-
MFA policy modifications
-
Trusted endpoint policy modifications
-
Application policy modifications
These detections help security teams identify changes that could impact authentication security or introduce identity-related risk.
Automated Response Capabilities
Compromised Identity Response
The Duo integration supports automated incident response workflows designed to contain identity threats and reduce investigation time when suspicious activity is detected.
By integrating detection policies with response workflows, BitLyft AIR enables security teams to quickly investigate suspicious authentication activity and take corrective action when necessary.
Key Benefits
-
Accelerates response to suspected identity compromise
-
Provides structured workflows for investigating MFA-related incidents
-
Reduces manual triage and investigation effort
-
Helps security teams contain compromised identities more quickly
These response capabilities allow organizations to address identity incidents before attackers can escalate access or move laterally.
Automation and Remediation
SOC-Ready Automations
The Duo integration includes SOC-ready automations that connect Duo detections directly to remediation actions within BitLyft AIR®.
These automations allow security teams to respond to identity threats quickly while maintaining consistent and repeatable incident response procedures.
Automation Benefits
-
Faster response to MFA-related threats
-
Reduced manual investigation and remediation effort
-
Standardized response workflows across incidents
-
Improved operational efficiency for security teams
SOC-ready automations help operationalize identity security by linking detection policies directly to response actions.
Duo Remediation Actions
The integration includes a comprehensive set of Duo remediation and investigation actions that support automated response, identity lifecycle management, and security investigations.
These actions enable security teams to interact with Duo programmatically through BitLyft AIR, reducing the need for manual actions in the Duo administration console.
Key Capabilities
User Lifecycle Management
-
Create users
-
Enroll users
-
Enable or disable users
-
Delete users
Device and MFA Hygiene
-
Retrieve user devices and phones
-
Remove devices from users
-
Delete compromised devices
Authentication and Administrative Visibility
-
Retrieve authentication logs
-
Retrieve administrative activity logs
Access Validation and Auditing
-
Retrieve group memberships
-
Review hardware tokens
-
Validate WebAuthn credentials
These capabilities support security operations workflows such as incident response, account recovery, onboarding and offboarding, and identity security audits.
Security Value
The BitLyft AIR Duo integration helps organizations protect their authentication infrastructure by detecting and responding to common MFA attack scenarios, including:
-
MFA fatigue and push bombing attacks
-
Credential compromise and authentication abuse
-
Administrative privilege misuse
-
Identity lifecycle manipulation
-
Authentication policy misconfigurations
By combining MFA-focused detections, automated investigation workflows, and remediation automation, BitLyft AIR® enables organizations to strengthen their Duo security posture and respond more effectively to identity-driven threats.
Duo Remediation Actions
User Lifecycle Management
| Action | Description | Use Case |
|---|---|---|
| Create a User | Creates a new user account in Duo Security, preparing the account for MFA enrollment and policy enforcement. | Supports automated provisioning during employee onboarding, contractor onboarding, or identity synchronization workflows from HR or identity management systems. |
| Enroll a User | Automates the enrollment of an existing user into Duo Security by initiating MFA setup and device association. | Used during new employee onboarding, MFA rollout initiatives, or when re-enrolling users who require updated authentication methods. Ensures consistent and timely MFA enforcement without manual intervention. |
| Get Users | Retrieves detailed user records from Duo Security, including status, enrollment information, and associated devices. | Useful during security investigations, audits, or compliance reviews to confirm a user’s MFA enrollment status, account state, or device associations. |
| Delete Users | Permanently removes a user account from Duo Security, including all associated MFA devices and settings. | Commonly used during employee offboarding or identity deprovisioning playbooks to eliminate lingering MFA access and reduce the risk of unauthorized authentication. |
| Disable User | Sets a user’s status to disabled in Duo Security, preventing all MFA authentication attempts without deleting the account. | Ideal for temporarily suspending user access during security investigations, suspected account compromise, or employee leave scenarios. |
| Enable User | Re-enables a previously disabled user account, restoring the ability to authenticate using MFA. | Used after security investigations are resolved or when restoring access following a temporary administrative suspension. |
Authentication & Security Investigation
| Action | Description | Use Case |
|---|---|---|
| Get Authentication Logs | Retrieves authentication event logs, including successful and failed MFA attempts, device usage, and source information. | Critical for investigating suspected account compromise, MFA abuse, brute-force attempts, or anomalous login behavior. |
| Get Admin Logs | Retrieves administrative activity logs from Duo Security, including configuration changes and admin actions. | Essential for security audits, compliance reviews, and insider threat investigations by providing visibility into privileged administrative actions. |
| Get Groups | Retrieves group definitions and membership information from Duo Security. | Used to validate access control assignments, confirm policy targeting, and investigate whether users are assigned to the correct MFA enforcement groups. |
Device & MFA Credential Management
| Action | Description | Use Case |
|---|---|---|
| Duo Get Phones | Retrieves phone and device details associated with Duo users, including phone numbers, platforms, and activation status. | Helps validate whether users are enrolled with approved corporate devices, identify reused phone numbers, and detect out-of-policy device usage. |
| Retrieve User Phones | Retrieves all registered phone devices associated with a specific user in Duo Security. | Supports device hygiene checks, investigations into suspicious device enrollments, and validation that users are using only approved MFA devices. |
| Delete Device | Permanently removes a specific MFA device from a user’s Duo Security account. | Used when a device is lost, stolen, replaced, or compromised, ensuring it can no longer be used for authentication. |
| Remove Device from User | Removes an MFA device from a user's account without permanently deleting the device from Duo. | Useful during investigations to immediately prevent authentication from a suspicious device while preserving device records for forensic review. |
Advanced MFA Credential Visibility
| Action | Description | Use Case |
|---|---|---|
| Retrieve User Hardware Tokens | Retrieves all one-time password (OTP) hardware tokens associated with a specific user in Duo Security. | Used during security investigations and access audits to identify physical authentication tokens assigned to a user. Helps verify token ownership, detect unauthorized token assignments, and ensure proper MFA device hygiene. |
| Retrieve User WebAuthn Credentials | Retrieves all WebAuthn authentication credentials associated with a specific user in Duo Security. | Useful for validating modern phishing-resistant authentication methods such as security keys or platform authenticators. Supports incident investigations by confirming which WebAuthn credentials are registered and identifying potentially unauthorized credential enrollments. |
Updated 5 days ago