Back to Integrations
OneLogin
Active IntegrationIdentity & Access Management

OneLogin

BitLyft AIR® v1.21 expanded identity threat detection for OneLogin with new security policies, a Compromised User Account playbook, and out-of-the-box automation mappings for immediate time-to-value.

6+

Detection Policies

1

Prebuilt Playbook

v1.21

Available Since

Automated Identity Response for OneLogin

OneLogin manages access to your critical business applications. When an account is compromised, every downstream application is at risk. BitLyft AIR® v1.21 expanded OneLogin detection coverage with policies that surface the most impactful identity attack patterns — and pairs them with a full Compromised User Account playbook.

From detection to account suspension to session revocation and MFA removal, the entire response workflow executes automatically — giving analysts a complete picture with no manual steps required.

Detection Policies

Impossible Travel Login

Login events from geographically impossible locations within a short timeframe.

Brute Force Authentication

Repeated failed login attempts targeting a OneLogin user account.

Admin Role Modification

Unexpected changes to administrative roles or permissions within OneLogin.

New MFA Device Enrolled

A new device is added to MFA enrollment — a common post-compromise action.

Suspicious IP Access

Authentication from IP addresses flagged as high-risk or anonymized.

Application Access Anomaly

Unusual patterns of application access inconsistent with user history.

Compromised User Account Playbook

A pre-built SOC playbook that orchestrates the full account compromise response from detection through containment — automatically.

1

Detect Threat

A OneLogin detection policy triggers on a high-risk identity event.

2

Suspend User

The account is immediately suspended in OneLogin to prevent further access.

3

Revoke Sessions

All active user sessions are terminated across OneLogin-protected applications.

4

Clear MFA Factors

Enrolled MFA devices are removed to prevent attacker persistence via registered factors.

5

Create & Escalate Case

A case is created in AIR® with full context, actions taken, and recommended follow-up.

Out-of-the-Box Automation Mappings

v1.21 ships with pre-configured automation mappings that connect OneLogin detection policies directly to response actions — ready to activate on day one with no custom configuration required.

Compromised Account Automation
Suspicious Access Escalation Mapping

Close the gap in your OneLogin security.

See how AIR® detects and responds to OneLogin identity threats automatically — from detection to containment.

Schedule a Demo