Viewing Additional Details for Investigation 6-77 9. After calling 5 users Tom sees that none of them were in the locations these sessions seemed to come from. He decides to add the Finnish locale to a watch group that causes users in that locale to be challenged with an OTP via SMS every login. He also calls the rest of the users to confirm these sessions did not belong to them. 10. Once sure, he also selects all the devices used and adds them to a black list group.

6.16.7 Use Case: IP Details and Adding to Group

George is a Big Bank user. An impersonator of George gets blocked because he was logging in from a blocked IP. 1. The investigator, Tom, wants to compare the IP with other IPs George has used in the past. He opens the fingerprint details for the blocked IP and for another IP George has used many times successfully. 2. From the user interface Tom can see that the blocked IP was a Firefox browser running in Chinese locale. The IP George seems to use most of the time is a Windows XP machine with IE running at an private locale. As a result Tom adds the IP to Restricted IPs group directly from the Sessions IP screen.

6.16.8 Use Case: Viewing the Sessions from a Range of IPs

To view sessions coming in from a range of IPs: 1. Log in to the OAAM Admin Console.

2. Double-click Sessions in the Navigation tree.

3. Enter the IP range in the IP range fields and click Search.

Sessions in the IP range are displayed in the Search Results table.

6.16.9 Use Case: Checking If a User Failed to Login From a Particular Device or IP

To search and view the different devices that logged in from the location get additional information like the number of times a device logged in from the location and the successful and unsuccessful login attempts from the location by each device: 1. From the results of a session search, click the country, state, city, or IP link. The Location Details page for that country, state, city, or IP is displayed.

2. Click the Devices tab.

■ To see additional information such as the number of times a device was used to log in from the location, search by Device ID. The Login Successes column displays the number of times a device was used to log in. ■ To see the number of successful and unsuccessful login attempts from the location by each device, select Blocked and Success as the Authentication Status. Login failures and successes are displayed for each device.

6.16.10 Use Case: Checking If Users Logging In from This IP Used Spanish Browsers

To search and view the fingerprints created for the location: 1. From the results of a session search, click the country, state, city, or IP link. The Location Details page for that country, state, city, or IP is displayed. 6-78 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

2. Click the Fingerprint Data tab.

3. In the Search Results table, check to see if Spanish is listed as the Locale for the Fingerprint.

6.16.11 Use Case: Adding Devices Used for Fraud from a Location To a Risky Group

An investigator is viewing a table of devices used from a location and decides two of them were used for fraud. He can select them and add them to a high risk devices group to be used in future risk evaluations. He should not lose the context of what he was doing in the process. 1. Open the OAAM Admin Console. 2. Search for sessions. 3. Open location details page. 4. Search for devices used from this location. 5. Select two devices and add them to a high risk group.

6.16.12 Use Case: Adding Suspicious Device to High Risk Device Group

George is a user who gets blocked because he was logging in using a device that had been blocked more than three times in the last 24 hours. Jeff, an investigator wants to compare the blocked device with other devices this user has used in the past. He opens the fingerprint details for the blocked device and for another device the user has used many times successfully. From the user interface Jeff can see that the blocked device was a Linux machine with Opera running in Russian locale. The device the user seems to use most of the time is a Windows XP machine with IE running in English locale. As a result Jeff adds the blocked device to a high risk devices group, and adds the IPs used by the device to a high risk IPs group directly from the search screen. 1. Open the OAAM Admin Console. 2. Search for sessions. 3. Open 2 device details pages. 4. View the full list of fingerprint data for both devices. 5. Select device and add it to a high risk group. 6. Select IP and add it to a high risk group.

6.16.13 Use Case: Mark Devices and IPs as High Risk

An investigator is searching for sessions with high alerts in the last hour. Out of the 30 sessions he thinks two were fraud so he wants to mark the devices and IPs used as high risk. 1. Open the OAAM Admin Console. 2. Search for sessions with high alerts in the last hour. 3. Select the two sessions and click the add to group button. A dialog appears asking what data types from these sessions to add. 4. Select devices and IPs. Message appears which asks the user to select a device group and an IPs group. 5. Select and add the high risk devices and high risk IPs.