Skip to main content
Panther Knowledge Base

Panther-managed rule "Geographically Improbable Okta Login" generates alerts for logins from same city

Issue

I have one or more alerts generated by Panther's "Geographically Improbable Okta Login" rule where the user's old and new cities (as shown in the alert title) are the same city.

Resolution

GPS coordinate inaccuracy can cause some login events occurring in rapid succession to generate false alerts. To investigate if this is the case, follow these steps:

  1. Locate the two login events that contributed to this alert. You can do this by querying the data lake (via Panther's Data Explorer or Search) for all events within one hour of the alert where:
    eventType = 'user.session.start'
    actor.alternateId = <USER_EMAIL_ADDR> 
    
  2. Inside each of the two events, identify:
    1. The timestamp (provided by p_event_time)
    2. The GPS coordinates (provided byevent.client.geographicalContext.geolocation.lon/lat)
  3. Enter the GPS coordinates into a latitude/longitude distance calculator, such as the one offered by NOAA. Make sure the calculation returns the units of distance as kilometers (km).
  4. Divide the distance in kms (obtained in step 3) by the difference in time between the two timestamps. Generally, a distance of a few kms with a time difference of less than a minute will cause the detection to fire.

Cause

The most common reason GPS coordinates change so quickly is that the end-user has switched networks (e.g., from cellular data to WiFi, or on cellular data from one network tower to another). GPS data as recorded by Okta is determined by the IP address, and is based on the location of the network node, not the user's device.