Investigation Using Agent Cases 5-39 2. Go to the Session Details page to collect more information about the session you are interested in. You could look at: ■ Outcomes of checkpoints ■ Policies and rules triggered As an investigator, you are interested in why a particular rule triggered. For example, you might look at which policy and rules triggered the alert. Information can be gathered by looking at these details. For example, a user who successfully went through Pre-Authentication and Post-Authentication checkpoints knew the password and the questions and answers and there fore, there is a good chance that he is a valid user. On the other hand, a user who attempted to answer the questions twice and succeeded in providing a correct answer on his third attempt might be considered suspicious. This user did not know the answers right away so there is a chance that he may be a fraud trying out new answers. 3. In the Policy Explorer in Session Details, view the runtime values for each one of the policies and rules that were triggered. For example, if a rule triggered that showed that the user had logged in from a country that he did not usually log in from, you would want to look at the runtime details to see which country he logged in from. The Policy Explorer shows the policies that were triggered, the condition parameters, and the actual values. 4. Determine the sessions you need to investigate. 5. Create an Agent case and start the investigation. 6. Search and select these sessions and link them to the case. As part of the linking enter notes describing why the sessions were linked. The case log records the notes as well as the user who performed the link action. These sessions stay linked to the case unless they are unlinked by an investigator or manager. 7. Identify the relationship between the sessions and view the appropriate detail pages. For example: If the suspicious sessions used the same device, view the Device Details page. If the suspicious sessions are from the same location, view the Location Details page. If the suspicious sessions are from the same user, view the User Details page. If the suspicious sessions all used a Spanish browser, view the Fingerprint Details page. a. View Location Details page. b. View Device Details page. c. View Fingerprint Details page. d. View Alert Details page. e. View User Details page. 8. Analyze the sessions and when you reach a conclusion, close the case with a disposition. 5-40 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

5.11.8 Listing the Cases that I Am Currently Working With

Both CSR and Agent type cases can be searched based on the current owner. This search filter finds cases for which the last action performed was by the user you are searching. Before You Begin Ensure that you have the proper permissions work with cases. List Cases Im Currently Working On 1. Log in to the OAAM Admin Console. 2. As a CSR or CSR Manager: In the Cases search page, search for the cases you are currently working on by specifying the following criteria in the search filters: 3. As an Investigator: In the Cases search page, search for the cases you are currently working on by specifying the following criteria in the search filters.

5.11.9 Marking One or More Sessions as Confirmed Fraud

The following section outlines the steps to mark one or more sessions as confirmed fraud. Included are references to other sections where you can find specific information. Before You Begin Ensure that you have the proper permissions to create and work with Agent cases. Mark One or More Sessions as Confirmed Fraud To mark a session as FraudNot Fraud, create an agent case link the session and close the Agent case with Disposition as either Confirmed Fraud or Not Fraud.

1. Log in to the OAAM Admin Console as an Investigator.

2. Create an Agent case. Refer to

Section 5.5.5, Creating an Agent Case Manually.

3. Link sessions to the case. Refer to

Section 5.7.1, Linking Sessions.

4. Change the severity of the case to High. Refer to

Section 5.6.2, Changing Severity Level of a Case.

5. Close the case with Disposition as Confirmed Fraud. Refer to

Section 5.6.3, Changing Status of a Case. Table 5–8 CSR Searches for Cases Working On Filter Value Current Owner Search by your user name. The agent who performed the last action Case Status Pending Expired Hide Expired Table 5–9 Investigator Searches for Cases Working On Filter Value Current Owner Search by your user name. The agent who performed the last action Case Status Pending, Escalated Expired Hide Expired