6-76 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

6.16.5 Use Case: User Details, Fingerprint Details

Tom, a fraud investigator, opens the OAAM Administration Console and searches for sessions that contain high-level alerts in the last 24 hours. This search returns a number of sessions. He orders the results by the User Name column and notices jsmith had several sessions with the device with implausible velocity alert. Because jsmith has completed registration, every session was challenged.

1. Tom opens the user details for jsmith by clicking the link in the Session page. He

searches for IPs jsmith has used in the last six months. A large list of IPs is returned. It appears the jsmith has been logging in from a random location every login session.

2. Tom finds only two devices used by jsmith in the last six months in device page

for jsmith.

3. Tom searches for all of jsmiths sessions in the last three months. He finds almost

every session has the same device velocity alert. Tom then filters all the sessions to see how many KBA locks occurred. He finds only one.

4. Tom navigates to fingerprint details and finds that jsmith has logged in from the

same browser and the same OS every time and has used the same locale also. Tom determines jsmith must be a normal user whose IP is being changed in some way. He adds jsmith to the group of traveling users and excludes this group from the rule that is triggering for him.

6.16.6 Use Case: Device and Location Details

Tom opens the OAAM Administration Console and searches for sessions that contain high-level alerts in the last 6 hours. This search returns 5 sessions. 1. Tom orders the results by the username and notices none of them are from the same user. 2. Tom then orders on IP and sees there are different IPs used in each session. 3. He then orders by the device column and sees there is one device with 2 sessions and the other devices have one session each. 4. Tom opens the device details for the device with 2 sessions. He views sessions from that device in the last month. He sees there were five sessions from this device in the last 24 hours each for a different user. The most recent session was blocked. 5. Tom opens the blocked session details to see why it was blocked. He can see that the device with maximum users in a short timeframe rule triggered. 6. Tom drills in on the policy containing this rule and sees the policy and rules. The rule blocks when a device has had more than four users and from more than three cities in a 12-hour period. He goes back to the device details screen and sees that the locale is Finnish, which seems strange. 7. Tom opens another session screen and searches for sessions in the last three months using the Finnish locale. There are 23 sessions, all in the last week. 8. Ordering by location, it seems the sessions were all from unique places within Washington State. Ordering by devices however he can see there were ten devices used. Finally, ordering by username Tom could see every session was for a different user. Feeling that this was not ordinary activity Tom puts together a call list of the affected users to verify if any of the activity was valid or not.