BitLyft AIR® v1.20: Expanding Okta Detections and Automating Identity Threat Response

Identity remains the most targeted attack surface in modern environments—and Okta is often at the center of it. With BitLyft AIR® version 1.20, we’re significantly expanding Okta-focused detection and response capabilities to help security teams identify identity threats earlier and respond faster with less manual effort.

This release introduces 13 new Okta security detections, a purpose-built compromised account playbook, and new out-of-the-box automation mappings designed to reduce mean time to respond (MTTR) for identity-driven incidents.

What’s New in BitLyft AIR® v1.20

13 New Okta Security Policies

BitLyft AIR® v1.20 adds 13 high-value Okta detections to BitLyft Essential, focused on the most common identity-related breach patterns: credential abuse, privilege escalation, misconfiguration, and post-termination risk.

Account Compromise & Credential Abuse

These detections help surface early indicators of compromised credentials and brute-force activity:

• Abnormal failed authentication attempts
• Abnormal password reset activity
• High number of account lockouts
• Deactivated or terminated users attempting to log in

Privilege Escalation & Administrative Misuse

Visibility into admin behavior and privilege changes is critical in Okta environments:

• Admin role granted to a user
• Admin role removed from user
• Admin potential impersonation
• Privileged app access granted

Risky Configuration & Policy Changes

Misconfiguration remains a leading cause of identity breaches:

• MFA policy modified
• Password policy modified
• Sign-on policy modified
• An abnormal number of accounts were deleted

Post-Termination Risk

• Okta activity by a terminated user

Together, these detections help identify both external threats and insider or misuse scenarios that traditional alerting often misses.

New Compromised Okta Account Automation

Version 1.20 introduces a new Compromised Okta Account automation, designed specifically to respond to identity-based incidents detected in Okta.

What this enables:

• A standardized, guided response for suspected account compromise
• Faster containment through automation-driven actions
• Reduced reliance on manual triage and inconsistent analyst workflows
  
  

The playbook pairs directly with the new Okta detections, enabling detect → decide → respond workflows out of the box.

New Out-of-the-Box Automation Mappings

To further accelerate response, this release includes two new OTTB automation mappings that connect Okta detections directly to remediation actions.

Why this matters:

• Faster response with minimal configuration
• Stronger alert-to-action workflows for real-world incidents
• Clear demonstration of AIR®’s automation-first approach

Why This Matters for Security Teams

BitLyft AIR® v1.20 strengthens identity security by:

• Improving visibility into high-risk Okta activity
• Reducing MTTR for identity-based incidents
• Addressing misconfiguration and privilege abuse, not just log volume
  
  

For teams using Okta as a primary identity provider, this release helps close critical gaps between detection and response without adding operational overhead.

Ideal Use Cases

• Organizations using Okta as their primary IDP
• Security teams are concerned about insider threats or privilege creep
• Lean SOC teams looking to reduce manual response effort for identity incidents
  
  

See BitLyft AIR® in action:

To see how BitLyft AIR® automates identity threat detection and response across Okta and beyond, check out BitLyft AIR®. 
(