How to troubleshoot Okta Impossible Travel for Login Action alerts from Panther
Issue
I am receiving Okta Impossible Travel for Login Action alerts from Panther, with incorrect locations where my users have not been.
Resolution
When this occurs:
- Check with your user to see if there's a chance this could be a real event.
- If there are static IPs associated with your logins (on VPNs or an AWS EC2 instance located in a faraway region), you can create an allow list with those static IPs and only trigger an alert if those IPs are not associated with your event.
- If your IP addresses are not static and are likely to change, you can add a clause in your OKTA rule that ignores logins from the erroneous location.
Cause
Logging in to Okta while using a VPN or cloud resources like AWS EC2 instances can cause our IP geolocation details to be unreliable when monitoring login locations.
For instance, if a user in Michigan logs in to an EC2 instance in AWS's us-west-2 region (Oregon), this could trigger an alert.
You can also refer to our relevant article Panther-managed rule "Geographically Improbable Okta Login" generates alerts for logins from same city.