Investigation Using Agent Cases 5-39 2. Go to the Session Details page to collect more information about the session you are interested in. You could look at: ■ Outcomes of checkpoints ■ Policies and rules triggered As an investigator, you are interested in why a particular rule triggered. For example, you might look at which policy and rules triggered the alert. Information can be gathered by looking at these details. For example, a user who successfully went through Pre-Authentication and Post-Authentication checkpoints knew the password and the questions and answers and there fore, there is a good chance that he is a valid user. On the other hand, a user who attempted to answer the questions twice and succeeded in providing a correct answer on his third attempt might be considered suspicious. This user did not know the answers right away so there is a chance that he may be a fraud trying out new answers. 3. In the Policy Explorer in Session Details, view the runtime values for each one of the policies and rules that were triggered. For example, if a rule triggered that showed that the user had logged in from a country that he did not usually log in from, you would want to look at the runtime details to see which country he logged in from. The Policy Explorer shows the policies that were triggered, the condition parameters, and the actual values. 4. Determine the sessions you need to investigate. 5. Create an Agent case and start the investigation. 6. Search and select these sessions and link them to the case. As part of the linking enter notes describing why the sessions were linked. The case log records the notes as well as the user who performed the link action. These sessions stay linked to the case unless they are unlinked by an investigator or manager. 7. Identify the relationship between the sessions and view the appropriate detail pages. For example: If the suspicious sessions used the same device, view the Device Details page. If the suspicious sessions are from the same location, view the Location Details page. If the suspicious sessions are from the same user, view the User Details page. If the suspicious sessions all used a Spanish browser, view the Fingerprint Details page. a. View Location Details page. b. View Device Details page. c. View Fingerprint Details page. d. View Alert Details page. e. View User Details page. 8. Analyze the sessions and when you reach a conclusion, close the case with a disposition.