BitLyft Air: OneLogin
Overview
The BitLyft AIR® OneLogin integration provides identity threat detection, investigation, and automated response capabilities for organizations using OneLogin as their identity and access management platform. By ingesting OneLogin activity logs and applying identity-focused detection policies, BitLyft AIR® enables security teams to monitor authentication activity, track configuration changes, and quickly respond to identity-based threats.
This integration helps organizations detect account compromise, privilege escalation, and risky configuration changes that could indicate malicious activity or unauthorized access.
Core Capabilities
Identity Threat Detection
The OneLogin integration includes security policies designed to identify suspicious authentication behavior, risky administrative activity, and identity configuration changes that could weaken security controls.
These detections help security teams surface early indicators of identity compromise and respond before attackers can escalate privileges or access sensitive applications.
Credential Abuse and Authentication Attacks
Authentication monitoring helps identify patterns associated with brute-force attacks, credential stuffing, or unauthorized login attempts.
Example detections include:
- Multiple failed authentication attempts from a user or IP address
These alerts help identify potential password spraying, brute-force login attempts, or suspicious authentication behavior targeting OneLogin accounts.
Multi-Factor Authentication (MFA) Security Monitoring
Multi-factor authentication is a critical identity security control. Monitoring changes to MFA settings helps detect attempts to weaken authentication protections.
Example detection:
- MFA disabled for a user account
This detection identifies when MFA protections are removed from an account, which may indicate attacker activity following initial credential compromise.
Privilege Escalation and Access Control Changes
Administrative role changes and privileged account activity are high-risk events that can indicate attempts to gain persistent access or expand privileges within the environment.
Example detections include:
-
Privilege escalation role changes
-
Password reset for privileged users
-
Suspicious deprovisioning events
These detections help identify unauthorized privilege assignments, compromised administrative accounts, or attempts to disrupt user lifecycle management.
Risky Identity and Application Configuration Changes
Changes to identity configurations or application assignments can introduce security risk or enable unauthorized data access.
Example detections include:
-
High-risk application assignment changes
-
API tokens created or modified
These alerts help security teams identify actions that could allow attackers to access applications, automate malicious activity, or bypass authentication protections.
Automated Response Capabilities
Compromised User Account Playbook
The OneLogin integration includes a Compromised User Account playbook designed to standardize incident response procedures for suspected identity compromise.
This playbook orchestrates response actions when identity-based threats are detected in OneLogin, helping security teams quickly investigate and contain incidents.
Key Benefits
-
Provides a structured response workflow for identity-related incidents
-
Enables rapid containment of compromised accounts
-
Reduces reliance on manual investigation and response procedures
-
Standardizes response actions across identity incidents
By pairing detection policies with automated response workflows, organizations can significantly reduce investigation time and accelerate incident containment.
Automation and Remediation
SOC-Ready Automations
The OneLogin integration includes SOC-ready automations that connect identity detections directly to remediation actions within BitLyft AIR®.
These automations allow security teams to move quickly from detection to response while maintaining consistent incident response practices.
Automation Benefits
-
Faster response to identity-based threats
-
Reduced manual investigation and remediation effort
-
Standardized remediation workflows across incidents
-
Improved operational efficiency for security teams
SOC-ready automations enable organizations to operationalize identity security by linking detection policies with automated response capabilities.
Security Value
The BitLyft AIR® OneLogin integration enhances identity security by helping organizations detect and respond to several common identity attack scenarios:
-
Credential abuse and authentication attacks
-
MFA weakening or removal
-
Privilege escalation and administrative misuse
-
Unauthorized application access changes
-
Identity lifecycle manipulation
By combining identity-focused detections, investigation workflows, and automated remediation capabilities, BitLyft AIR® helps organizations protect their OneLogin environments from identity-driven threats and reduce operational burden on security teams.
OneLogin Remediation Actions
Account Security & Compromise Response
| Action | Description | Use Case |
|---|---|---|
| Force Password Reset | Triggers an immediate password reset for a specified user in OneLogin. | Used when an account is suspected of being compromised, such as following a phishing alert, credential exposure, or suspicious login attempt, to prevent further unauthorized access. |
| Lock User Account | Temporarily locks a specified user account in OneLogin, preventing authentication while preserving the account and associated data. | Ideal for isolating users involved in suspicious behavior or when responding to insider threats. This action halts all user activity without deleting the account, preserving forensic evidence for investigation. |
| Force User Log Out | Immediately terminates all active sessions for a specified user in OneLogin. | Used when there is a risk that a threat actor has an active session, such as during account takeover or session hijacking. Ensures the user is logged out from all devices and applications. |
Identity Investigation & Directory Visibility
| Action | Description | Use Case |
|---|---|---|
| Retrieve User Count | Retrieves the total number of users currently in the OneLogin directory. | Useful for detecting anomalies or supporting audit and compliance efforts. A sudden change in user count could signal unauthorized provisioning or potential configuration issues. |
| Retrieve User List | Retrieves a comprehensive list of all users from the OneLogin directory. | Supports investigations, compliance reporting, or incident triage by providing full visibility into user accounts. Useful for correlating login activity or reviewing account privileges. |
Updated 6 days ago