Overview

The BitLyft AIR Microsoft integration provides comprehensive visibility, detection, and automated response capabilities across the Microsoft security ecosystem. By ingesting telemetry from Microsoft 365, Microsoft Defender, Azure Active Directory, Azure Audit Logs, and Microsoft Security & Compliance Center. BitLyft AIR enables organizations to detect identity threats, endpoint compromise, phishing activity, data exfiltration, and configuration risks.

This integration allows security teams to investigate and respond to threats across identity, email, cloud applications, endpoint security, and Azure infrastructure within a single automated response platform.

The Microsoft integration combines security detections, SOC-ready automations, and response playbooks to help organizations reduce **Mean Time To Detect (MTTD) **and Mean Time To Respond (MTTR) across Microsoft environments.

Core Capabilities

Identity and Authentication Threat Detection

BitLyft AIR monitors Microsoft authentication activity and identity protection signals to detect suspicious sign-in behavior, compromised accounts, and risky user activity.

Example detections include:

High number of failed authentication attempts
Login attempts to disabled accounts
Multifactor authentication interruptions
Authentication interruptions during login processes
Risky user detections (low, medium, and high risk levels)
Activity originating from infrequent countries
Logins from risky IP addresses
Impossible travel login activity

These detections help security teams identify credential compromise, brute-force attacks, and anomalous login activity that may indicate identity takeover attempts.

Endpoint Threat Detection

The integration leverages Microsoft Defender for Endpoint telemetry to detect malware activity, persistence mechanisms, and credential harvesting techniques on managed endpoints.

Example detections include:

Autostart Extension Point (ASEP) registry changes
Malware persistence observed on a host
Malware spread across multiple hosts
Suspicious access to the LSASS credential store
Process memory dumping activity
Suspicious service registry modifications
Kerberos SPN enumeration activity

These detections help identify advanced attacker techniques including credential dumping, persistence mechanisms, and lateral movement across systems.

Email Security and Phishing Detection

BitLyft AIR® monitors Microsoft Exchange and Message Trace activity to identify phishing campaigns, malicious email behavior, and mailbox manipulation.

Example detections include:

Rare or suspicious file extensions attached to email messages
Mailbox rule creation, modification, or deletion
Suspicious inbox forwarding rules
High volumes of email deletion from a mailbox
Mailsploit email spoofing techniques

These detections help security teams identify phishing campaigns, email compromise, and attacker attempts to manipulate inbox rules for persistence or data exfiltration.

Cloud Application and Data Security Monitoring

The integration includes monitoring for abnormal activity within OneDrive, SharePoint, and cloud application usage.

Example detections include:

High number of files downloaded from OneDrive
High number of files downloaded from SharePoint
Large file downloads from a single account
Creation of new OneDrive or SharePoint sites
Suspicious OAuth application file download activity
Data exfiltration to unsanctioned applications

These detections help identify potential data exfiltration, insider threats, and suspicious file access behavior.

Azure Identity and Infrastructure Monitoring

BitLyft AIR® monitors Azure administrative activity, identity configuration changes, and application permission changes that may indicate privilege escalation or configuration risk.

Example detections include:

Credentials added to existing applications
New application owners assigned
Application URI or AppID configuration changes
Domain federation settings modified
Azure subscription permission elevation
Changes to authentication methods

Monitoring these activities helps identify unauthorized configuration changes and privilege escalation within Azure environments.

Automated Response Capabilities

The Microsoft integration enables automated remediation actions directly against Microsoft 365 and Azure resources. These actions allow security teams to quickly contain identity threats, investigate incidents, and restore secure configurations.

Key Benefits

Rapid containment of compromised user accounts
Automated remediation of phishing attacks and mailbox manipulation
Faster investigation of suspicious user activity
Improved enforcement of security policies across the tenant

By combining detection policies with automated remediation actions, organizations can quickly move from detection to containment and investigation.

Automation and Remediation

SOC-Ready Automations

The Microsoft integration includes SOC-ready automations that connect Microsoft detections directly to remediation actions within BitLyft AIR®.

These automations enable security teams to rapidly respond to identity threats, phishing campaigns, and configuration risks while maintaining consistent incident response workflows.

Automation Benefits

Faster response to compromised accounts and phishing attacks
Reduced manual investigation and remediation effort
Standardized incident response procedures
Improved operational efficiency for security teams

SOC-ready automations help operationalize security response workflows across Microsoft environments.

Microsoft Response Actions

The integration includes a large set of response and investigation actions that allow security teams to interact with Microsoft 365 and Azure resources directly through BitLyft AIR®.

These actions support both security operations and IT administration workflows.

Identity and Account Security

These actions help security teams respond to compromised accounts and enforce identity security policies.

Examples include:

Log out users and revoke active sessions
Reset user passwords
Enable or disable user accounts
Assign users to conditional access policies
Ensure MFA enforcement policies exist

These capabilities help contain compromised identities and enforce stronger authentication controls.

Email Security and Investigation

Security teams can investigate and contain phishing threats using automated email response actions.

Examples include:

Search user mailboxes for suspicious content
Quarantine emails by sender or subject
Retrieve mailbox rules
Delete malicious mailbox rules

These actions allow analysts to quickly contain phishing campaigns and remove attacker persistence mechanisms.

Investigation and Audit Visibility

The integration provides access to detailed audit and activity logs that help analysts investigate incidents and understand user behavior.

Examples include:

Retrieve user activity logs
Retrieve user sign-in logs
Retrieve conditional access policy configurations
Retrieve Microsoft audit subscription status

These capabilities support forensic analysis and incident investigations.

Tenant Administration and Governance

BitLyft AIR® also includes administrative actions that help organizations manage Microsoft tenants and maintain operational security controls.

Examples include:

Create or manage users
Assign or remove licenses
Add users to groups
Retrieve user capabilities and permissions
List domains, groups, and SharePoint sites

These capabilities support operational workflows while enabling security teams to maintain visibility across tenant resources.

Automated Security Playbooks

The Microsoft integration includes predefined playbooks designed to automate common security response scenarios.

Compromised User Account Response

The M365 Compromised User Account playbook automates containment and investigation steps when a user account is suspected to be compromised.

Key actions include:

Revoking active user sessions
Resetting the user’s password
Retrieving user activity logs
Gathering user permissions and capabilities

This playbook helps contain unauthorized access while providing analysts with information needed for investigation.

Conditional Access and Compliance Enforcement

The M365 Conditional Access and Compliance playbook helps ensure that strong authentication controls are enforced across the tenant.

Key actions include:

Creating or validating conditional access policies requiring MFA
Adding users to enforced conditional access policies

This playbook helps organizations strengthen identity security posture and ensure MFA protections remain enforced.

Phishing Email Containment and Remediation

The M365 Phishing Email Containment playbook automates investigation and containment of phishing attacks.

Key actions include:

Quarantining malicious emails
Reviewing mailbox forwarding rules
Removing malicious inbox rules
Logging out affected users
Resetting compromised user passwords

This playbook helps security teams rapidly contain phishing campaigns and restore compromised accounts to a secure state.

Security Value

The BitLyft AIR® Microsoft integration provides broad coverage across the Microsoft ecosystem by addressing several major security risk areas:

Identity compromise and authentication attacks
Endpoint malware and credential theft
Phishing and email compromise
Data exfiltration and insider threats
Azure privilege escalation and configuration risk

By combining multi-source telemetry, automated detections, investigation workflows, and remediation actions, BitLyft AIR® enables organizations to detect and respond to threats across their Microsoft environment with greater speed and consistency.

Microsoft Remediation Actions

Account Security & Compromise Response

Action	Description	Use Case
Logs Out User	Revokes all active sign-in sessions for a user.	Used when a user’s credentials are suspected to be compromised to immediately terminate active sessions and prevent attackers from maintaining access.
Reset User Password	Changes the user’s password to a specified or randomly generated value and forces a reset at next login.	Essential when responding to account compromise or enforcing immediate password hygiene following a breach.
Disable User Account	Disables a user account within the tenant, preventing authentication and access to services.	Used to immediately suspend access for users under investigation, during offboarding, or when responding to suspected account compromise.
Enable User Account	Re-enables a previously disabled user account.	Used after verifying account security or restoring access for returning employees.

Identity & User Management

Action	Description	Use Case
Create User	Creates a new user within the Microsoft tenant.	Used during employee onboarding, automated provisioning workflows, or restoring accounts that were previously removed.
List Users	Retrieves a list of all users within the tenant.	Helps identify unauthorized accounts, recently created identities, or validate user inventories during audits.
Total User Count	Retrieves the total number of users in the tenant.	Useful for compliance checks, auditing, or identifying abnormal spikes in user creation.
Get User Capabilities	Retrieves the service capabilities and permissions assigned to a specific user.	Helps verify what services or privileges a user has access to during security reviews or troubleshooting access issues.

License & Resource Management

Action	Description	Use Case
Add License to User	Assigns a Microsoft 365 license to a user account.	Ensures users have access to required services during onboarding or role changes.
Remove License from User	Removes a Microsoft 365 license from a user account.	Reclaims licenses when users leave the organization or no longer require access to certain services.
List User Licenses	Retrieves all licenses currently assigned to a user.	Useful for license audits and ensuring users have appropriate service entitlements.

Email Security & Phishing Response

Action	Description	Use Case
List User Mail Rules	Retrieves all mailbox rules configured for a user.	Helps identify malicious forwarding or deletion rules often created during phishing or account compromise incidents.
Delete Mail Rules	Deletes specific mailbox rules for a user.	Removes suspicious or malicious email forwarding rules without impacting legitimate rules.
Delete All Mail Rules	Deletes all mailbox rules configured for a user.	Used when widespread malicious rules are detected and a full reset of mailbox rules is required.
Search Mailbox	Searches a user’s mailbox for specific content, returning up to 50 results.	Useful for identifying phishing emails, sensitive data exposure, or malicious messages during investigations.
Quarantine Email - Subject Line	Moves all emails matching a specified subject to the deleted items folder.	Mitigates the spread of phishing campaigns with consistent subject lines.
Quarantine Email - Sender Address	Moves all emails from a specific sender to the deleted items folder.	Neutralizes malicious emails from known malicious senders or threat actors.

Security Investigation & Audit Visibility

Action	Description	Use Case
Azure Retrieve User Activity Logs	Retrieves detailed activity logs for a specific user within Azure.	Provides forensic insight into user actions during security investigations.
Azure Retrieve User Sign-in Activity Logs	Retrieves detailed sign-in activity logs for a specific user.	Helps identify suspicious authentication events or anomalous login activity.
List Microsoft 365 Audit Subscriptions	Lists configured Microsoft 365 audit logging subscriptions.	Helps verify that audit logging is enabled and identify missing or misconfigured subscriptions.
Enable Microsoft 365 Audit Subscriptions	Enables audit logging for General, Exchange, SharePoint, and Azure AD APIs.	Ensures comprehensive logging coverage required for compliance, monitoring, and incident investigations.

Access Control & Policy Enforcement

Action	Description	Use Case
Assign User to Conditional Access Policy	Adds a user to an existing Conditional Access policy.	Enforces additional security requirements such as MFA or location restrictions for high-risk users.
List Conditional Access Policies	Retrieves a list of Conditional Access policies configured in the tenant.	Used to audit tenant security controls and validate enforcement policies.
Get Conditional Access Policy Details	Retrieves detailed configuration information for a specific Conditional Access policy.	Helps security teams review policy logic, scope, and enforcement conditions.
Ensure BitLyft MFA Conditional Access Policy	Ensures an MFA enforcement policy exists and creates it if missing.	Helps guarantee consistent MFA enforcement across the tenant to strengthen identity security.

Group & Access Management

Action	Description	Use Case
Add User to Group	Adds a user to a specified Azure or Microsoft 365 group.	Used to apply group-based permissions or enforce security controls during onboarding or incident response.
Get Users in Group	Retrieves a list of users belonging to a specific group.	Helps validate group membership for compliance audits or access reviews.
Get Group ID by Name	Retrieves the unique ID of a group based on its name.	Supports automated workflows that require group identifiers for policy enforcement or access management.

Tenant & Infrastructure Visibility

Action	Description	Use Case
List Azure Domains	Retrieves all domains associated with the Azure tenant.	Useful for domain inventory audits or identifying unauthorized domain additions.
List SharePoint Sites	Retrieves information about SharePoint sites in the tenant.	Helps identify potentially exposed data repositories or unauthorized site creation.