px124 (px124) asked a question.
Hello,
We have observed that the IP address information provided in Okta security logs is sometimes inaccurate, which has been causing false positives in our geolocation-based alerts.
For example, as shown in the attached screenshot, a user logged in via Okta to two different applications from the same device and IP address. However, the logs recorded two vastly different IP addresses originating from different geographical locations.
We suspect this behavior may be due to Okta occasionally logging the IP address of the application or service the user is accessing instead of the user's actual IP address. This issue has been particularly noticeable with applications such as Zoom and Google Workspace.
Could you please advise if there is a way to address or resolve this issue?
Thank you for your assistance.
For that user in your screenshot I see 2 different IPs. This is normal and is what I see for users in my Okta logs as well. Keep in mind that the IPs are different because of the different source of each request in the authentication process.
These posts might give you a little better understanding on IPs in Okta logs.
https://support.okta.com/help/s/question/0D51Y00008MtPOtSAN/what-is-the-second-ipchain-information-in-system-logs-referring-to?language=en_US
https://www.obsidiansecurity.com/blog/how-to-use-client-ip-addresses-in-okta-audit-logs/
@MatthewH.10249 (State of Iowa) So in the post you referenced, the proxy's used to contain the other IP addresses, but the client.ipAddress field would contain the ip address of the local machine. This seems to have changed recently.
The client.ipAddress field and the other client.geographicalContext fields no longer serve as a source of truth for the real location of the user. Due to the ip address information field changing depending on the app the user is logging on too, I am unable to detect events such as unauthorized usage of VPN tools, or possible account compromise (based on login location)
I went back 3 months in my logs and I'm not seeing any change in behavior that I can tell. Again looking at your screenshot I see only 1 log entry with a different IP and that is the second one "user single sign on to app" and is probably a related to Okta Admin Dashboard which are hosted on AWS servers in Columbus, Ohio.
If you still have concerns or questions, I suggest you create an Okta Support case to get further input on this matter if no one else happens to post to this community post. Please update this community post if Okta Support discovers an issue. Best of luck!
I used a small sample size of my own activity thats why it is only one event, and you are right the one from Columbus was the Okta Admin Dashboard. But its still a problem given that the app field exist to tell me what service users login to, the client ip field should only contain the users local ip address.
I have tried whitelisting various application but the behaviour keeps happening with more and more apps, and at this point I believe Okta should fix it to ensure that the information contained in the field fits its purpose
The attached image shows more examples. It is a screenshot of the alert and all of the 21 events flagged are false positives. Multiple users being flagged for Geographically improbable access because they moved between applications on their workstation