Search and view the different users for which the alert was generated

6-72 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager 6.15.7.8 Search and view all the login sessions or search login sessions for a particular period for the alert To search and view all the login sessions or search login sessions for a particular period for the alert: 1. Click the alert message links from the session details, other detail pages, or agent pages. The Alert Details page is displayed. 2. Click the Sessions tab. This tab lists sessions in which the alert was triggered. 3. Search and view all the login sessions or search login sessions for a particular period for the alert using Trigger Date.

6.15.7.9 Search and view the fingerprints created

To search and view the fingerprints created: 1. Click the alert message links from the session details, other detail pages, or agent pages. The Alert Details page is displayed.

2. Click the Fingerprint Data tab.

This tab displays the fingerprint information used when the alert was triggered during the timeframe specified. 3. Search and view the fingerprints created by using the following filters: Table 6–66 Location Tab Filters Description Location Country ID, State ID, City ID IP Address Address mapped to a location usually, although some addresses are unknown or private Authentication Status Status of the session each logintransaction attempt creates a new session. For information, refer to Authentication Status . Last Used On Get all the locations from which the user logged in during the given time duration Table 6–67 User Details: Fingerprint Data Tab Filters Description Fingerprint ID Unique ID generated for fingerprint by the application Authentication Status Status of the session each logintransaction attempt creates a new session. For information, refer to Authentication Status . Browser Type The type of browser a user is viewing pages with OS Type Type of operating system Locale A set of parameters that defines the users language, country and any special variant preferences that the user wants to see in their user interface Last Date Used Get all the fingerprints created for the given time duration Viewing Additional Details for Investigation 6-73 6.15.7.10 Navigate to other details pages for groups, users, devices, locations, sessions and fingerprints You can open details pages from other details pages: ■ From the Users tab: click the User Name link to open the User Details page. ■ From the Groups tab: click the Group Name link to open the Group Details page. ■ From the Locations tab, click the Location link to open the Location Details page. ■ From the Devices tab: click the Device ID link to open the Device Details page. ■ From the Fingerprint tab: click the Fingerprint ID to open the corresponding Fingerprint Details page. ■ Links for User Name, IP address, session, and location are available on the Sessions tab.

6.16 Uses Cases

This section describes example use cases for the Session Details page.

6.16.1 Use Case: Search Sessions

You are a member of the security team at Acme Corp. You work with Oracle Adaptive Access Manager on a regular basis, following up on escalated customer issues and security alerts. You perform a session search every couple hours throughout the day to identify any issues needing your attention and it is time to perform the next search. Directions: Search for sessions in the last 24 hours that have triggered high severity alerts and where access was blocked or locked. To search sessions: 1. Log in to OAAM Admin as an Investigator.

2. In the Navigation tree, double-click Sessions.

The Sessions Search page is displayed. 3. Search through sessions in the last 24 hours with high alerts and a blocked or locked authentication status

a. For Authentication Status, select Blocked and Locked.

b. For Login Time, select the date and time, 24 hours ago, and the current date

and time.

c. For Alert Level, select High.

d. Click Search.

6.16.2 Use Case: Session Details Page

You see a session with a Blocked authentication status. This may be a case of stolen authentication credentials so you want to look into it. You open the details page for this session to take a closer look at exactly what went on in this session. You see that the login had triggered a block. Phillip, the user, was dynamically added to a high risk users group because of this rule. Directions: Part A: Drill in on the policy that caused the block to see what rules triggered. Part B: You also want to see if this user has any CSR cases related to this lockout. Search the CSR cases and determine if Phillip called in for a temporary allow. To view session details: