Panther-managed rule "Impossible Travel for Login Action" generates alerts for logins from same city
Issue
I have one or more alerts generated by Panther's "Impossible Travel for Login Action" rule where the user's old and new cities (as shown in the alert title) are the same city.
Resolution
GPS coordinate inaccuracy can cause some login events occurring in rapid succession to generate false alerts. To investigate if this is the case, follow these steps:
- Locate the two login events that contributed to this alert. You can do this by querying the data lake (via Panther's Data Explorer or Search) for all events within one hour of the alert where:
eventType = 'user.session.start' actor.alternateId = <USER_EMAIL_ADDR>
- Inside each of the two events, identify:
- The timestamp (provided by
p_event_time) - The GPS coordinates (provided by
event.client.geographicalContext.geolocation.lon/lat)
- The timestamp (provided by
- Enter the GPS coordinates into a latitude/longitude distance calculator, such as the one offered by NOAA. Make sure the calculation returns the units of distance as kilometers (km).
- Divide the distance in kms (obtained in step 3) by the difference in time between the two timestamps. Generally, a distance of a few kms with a time difference of less than a minute will cause the detection to fire.
Cause
The most common reason GPS coordinates change so quickly is that the end-user has switched networks (e.g., from cellular data to WiFi, or on cellular data from one network tower to another). GPS data as recorded by Okta is determined by the IP address, and is based on the location of the network node, not the user's device.