6-76 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

6.16.5 Use Case: User Details, Fingerprint Details

Tom, a fraud investigator, opens the OAAM Administration Console and searches for sessions that contain high-level alerts in the last 24 hours. This search returns a number of sessions. He orders the results by the User Name column and notices jsmith had several sessions with the device with implausible velocity alert. Because jsmith has completed registration, every session was challenged.

1. Tom opens the user details for jsmith by clicking the link in the Session page. He

searches for IPs jsmith has used in the last six months. A large list of IPs is returned. It appears the jsmith has been logging in from a random location every login session.

2. Tom finds only two devices used by jsmith in the last six months in device page

for jsmith.

3. Tom searches for all of jsmiths sessions in the last three months. He finds almost

every session has the same device velocity alert. Tom then filters all the sessions to see how many KBA locks occurred. He finds only one.

4. Tom navigates to fingerprint details and finds that jsmith has logged in from the

same browser and the same OS every time and has used the same locale also. Tom determines jsmith must be a normal user whose IP is being changed in some way. He adds jsmith to the group of traveling users and excludes this group from the rule that is triggering for him.

6.16.6 Use Case: Device and Location Details

Tom opens the OAAM Administration Console and searches for sessions that contain high-level alerts in the last 6 hours. This search returns 5 sessions. 1. Tom orders the results by the username and notices none of them are from the same user. 2. Tom then orders on IP and sees there are different IPs used in each session. 3. He then orders by the device column and sees there is one device with 2 sessions and the other devices have one session each. 4. Tom opens the device details for the device with 2 sessions. He views sessions from that device in the last month. He sees there were five sessions from this device in the last 24 hours each for a different user. The most recent session was blocked. 5. Tom opens the blocked session details to see why it was blocked. He can see that the device with maximum users in a short timeframe rule triggered. 6. Tom drills in on the policy containing this rule and sees the policy and rules. The rule blocks when a device has had more than four users and from more than three cities in a 12-hour period. He goes back to the device details screen and sees that the locale is Finnish, which seems strange. 7. Tom opens another session screen and searches for sessions in the last three months using the Finnish locale. There are 23 sessions, all in the last week. 8. Ordering by location, it seems the sessions were all from unique places within Washington State. Ordering by devices however he can see there were ten devices used. Finally, ordering by username Tom could see every session was for a different user. Feeling that this was not ordinary activity Tom puts together a call list of the affected users to verify if any of the activity was valid or not. Viewing Additional Details for Investigation 6-77 9. After calling 5 users Tom sees that none of them were in the locations these sessions seemed to come from. He decides to add the Finnish locale to a watch group that causes users in that locale to be challenged with an OTP via SMS every login. He also calls the rest of the users to confirm these sessions did not belong to them. 10. Once sure, he also selects all the devices used and adds them to a black list group.

6.16.7 Use Case: IP Details and Adding to Group

George is a Big Bank user. An impersonator of George gets blocked because he was logging in from a blocked IP. 1. The investigator, Tom, wants to compare the IP with other IPs George has used in the past. He opens the fingerprint details for the blocked IP and for another IP George has used many times successfully. 2. From the user interface Tom can see that the blocked IP was a Firefox browser running in Chinese locale. The IP George seems to use most of the time is a Windows XP machine with IE running at an private locale. As a result Tom adds the IP to Restricted IPs group directly from the Sessions IP screen.

6.16.8 Use Case: Viewing the Sessions from a Range of IPs

To view sessions coming in from a range of IPs: 1. Log in to the OAAM Admin Console.

2. Double-click Sessions in the Navigation tree.

3. Enter the IP range in the IP range fields and click Search.

Sessions in the IP range are displayed in the Search Results table.

6.16.9 Use Case: Checking If a User Failed to Login From a Particular Device or IP

To search and view the different devices that logged in from the location get additional information like the number of times a device logged in from the location and the successful and unsuccessful login attempts from the location by each device: 1. From the results of a session search, click the country, state, city, or IP link. The Location Details page for that country, state, city, or IP is displayed.

2. Click the Devices tab.

■ To see additional information such as the number of times a device was used to log in from the location, search by Device ID. The Login Successes column displays the number of times a device was used to log in. ■ To see the number of successful and unsuccessful login attempts from the location by each device, select Blocked and Success as the Authentication Status. Login failures and successes are displayed for each device.

6.16.10 Use Case: Checking If Users Logging In from This IP Used Spanish Browsers

To search and view the fingerprints created for the location: 1. From the results of a session search, click the country, state, city, or IP link. The Location Details page for that country, state, city, or IP is displayed.