I am receiving Okta Impossible Travel for Login Action alerts from Panther, with incorrect locations where my users have not been.
When this occurs:
Check with your user to see if there's a chance this could be a real event.
If there are static IPs associated with your logins (on VPNs or an AWS EC2 instance located in a faraway region), you can create an allow list with those static IPs and only trigger an alert if those IPs are not associated with your event.
If your IP addresses are not static and are likely to change, you can add a clause in your OKTA rule that ignores logins from the erroneous location.
Logging in to Okta while using a VPN or cloud resources like AWS EC2 instances can cause our IP geolocation details to be unreliable when monitoring login locations.
For instance, if a user in Michigan logs in to an EC2 instance in AWS's us-west-2 region (Oregon), this could trigger an alert.
You can also refer to our relevant article 📄 Panther-managed rule "Impossible Travel for Login Action" generates alerts for logins from same city