Skip to content
Request a Demo
All posts

BitLyft AIR® v1.20: Expanding Okta Detections and Automating Identity Threat Response

AIR-v1.20
Picture of Hannah Bennett By  Hannah Bennett  ·  2 minute read

Identity remains the most targeted attack surface in modern environments—and Okta is often at the center of it. With BitLyft AIR® version 1.20, we’re significantly expanding Okta-focused detection and response capabilities to help security teams identify identity threats earlier and respond faster with less manual effort.

This release introduces 13 new Okta security detections, a purpose-built compromised account playbook, and new out-of-the-box automation mappings designed to reduce mean time to respond (MTTR) for identity-driven incidents.

What’s New in BitLyft AIR® v1.20

13 New Okta Security Policies

BitLyft AIR® v1.20 adds 13 high-value Okta detections to BitLyft Essential, focused on the most common identity-related breach patterns: credential abuse, privilege escalation, misconfiguration, and post-termination risk.

Account Compromise & Credential Abuse

These detections help surface early indicators of compromised credentials and brute-force activity:

  • Abnormal failed authentication attempts
  • Abnormal password reset activity
  • High number of account lockouts
  • Deactivated or terminated users attempting to log in

Privilege Escalation & Administrative Misuse

Visibility into admin behavior and privilege changes is critical in Okta environments:

  • Admin role granted to a user
  • Admin role removed from user
  • Admin potential impersonation
  • Privileged app access granted

Risky Configuration & Policy Changes

Misconfiguration remains a leading cause of identity breaches:

  • MFA policy modified
  • Password policy modified
  • Sign-on policy modified
  • An abnormal number of accounts were deleted

Post-Termination Risk

  • Okta activity by a terminated user

Together, these detections help identify both external threats and insider or misuse scenarios that traditional alerting often misses.

New Compromised Okta Account Automation

Version 1.20 introduces a new Compromised Okta Account automation, designed specifically to respond to identity-based incidents detected in Okta.

What this enables:

  • A standardized, guided response for suspected account compromise
  • Faster containment through automation-driven actions
  • Reduced reliance on manual triage and inconsistent analyst workflows

The playbook pairs directly with the new Okta detections, enabling detect → decide → respond workflows out of the box.

New Out-of-the-Box Automation Mappings

To further accelerate response, this release includes two new OTTB automation mappings that connect Okta detections directly to remediation actions.

Why this matters:

  • Faster response with minimal configuration
  • Stronger alert-to-action workflows for real-world incidents
  • Clear demonstration of AIR®’s automation-first approach

Why This Matters for Security Teams

BitLyft AIR® v1.20 strengthens identity security by:

  • Improving visibility into high-risk Okta activity
  • Reducing MTTR for identity-based incidents
  • Addressing misconfiguration and privilege abuse, not just log volume

For teams using Okta as a primary identity provider, this release helps close critical gaps between detection and response without adding operational overhead.

Ideal Use Cases

  • Organizations using Okta as their primary IDP
  • Security teams are concerned about insider threats or privilege creep
  • Lean SOC teams looking to reduce manual response effort for identity incidents

See BitLyft AIR® in action:

To see how BitLyft AIR® automates identity threat detection and response across Okta and beyond, check out BitLyft AIR®
(