Viewing Additional Details for Investigation 6-75 2. View user details and check the Device tab to view the different devices the user used. For example, you compare the blocked device with other devices jsmith has used in the past. You open the user details for jsmith and view devices for the last six months. Only three devices are shown 123, 511 and 333. 3. Compare the blocked device with other devices used using fingerprint details to see the OS, Browser, and Locale to get a general idea about the device. 4. Check to see if the blocked device looks different than the successful ones. For example, you open the fingerprint details for the blocked device 123 and for device 333 that had been used recently by jsmith successfully and it showed a high number of successful uses. From the user interface, you can see that the blocked device 123 was a Linux machine with Opera running in Russian locale among other fingerprint data points. The device 333 is a Windows XP machine with IE running in English locale which seems to be the one the user has used most of the time recently. You open the fingerprint details for device 511 also and check the fingerprint data. You see it also is Windows XP machine with IE running in English locale but jsmith has not used it in a while. This makes you think device 123 was used by someone impersonating jsmith. 5. Search sessions by Device ID to check if the device has a lot of blocked sessions and if there are a lot of different users. For example, you search for all the sessions device 123 has been involved in to see what other users may have been victims. There were ten sessions all in the last two weeks and many of them were blocked. As well each session was for a different user. 6. Add the device to the blacklist group from the Sessions search tab. 7. Export the blocked session to Excel to use as reference to contact the real users who need to reset their password. You export table results to Excel. The Excel sheet should contain all the session details.

6.16.4 Use Case: Exporting the Sessions from the Last One Week

You can export sessions to use as reference or further study and investigation. To export sessions: 1. Log in to the OAAM Admin. 2. In the Sessions search page, specify one week using the date editor and click Search . 3. Select the sessions from the Search Results table.

4. From Actions menu, select Export to Excel.

5. Click Save File or Open with and click OK.

File shows Row, Session ID, Alerts, Organization ID, User name, Device ID, IP Address, Location, Authentication Status, Login Time, Pre-Authentication Score, Pre-Authentication Action, Post-Authentication Score, Post-Authentication Action, Client Type, User ID, and Internal Session ID.