Investigation Using Agent Cases 5-23 5. demoinvest2 opens the case and the status changes to Pending. 6. demoinvest2 is the current owner of the case. 7. demoinvet1 still sees the case as New in the results. 8. He tries to open this new case but a message appears saying that demoinvest2 is the current owner of the case and he can choose to continue or cancel. 9. If he chooses to cancel, nothing happens and demoinvet2 remains the current owner. 10. If he chooses to continue, he becomes the current owner and the status of the case is Pending. View Overdue Cases The Investigator searches for Agent cases with Shown Only Expired as the Expired filter. The cases with dates and time displayed in red in the Expiration Column are overdue cases. Search Cases By Action Users can search both CSR and Agent cases based on actions that were taken in them. An example is provided below: Yesterday jsmith called customer service claiming to have lost money out of his account. The CSR escalated the case and told jsmith he would be contacted within 24 hours. jsmith calls back 36 hours later to see why he has not been contacted. The CSR needs to view the case escalated yesterday for jsmith. He searches cases for jsmith with an Escalate action and ones that are not overdue in the last 48 hours.

5.11.2 Investigation Workflow Scenario - Blocked Login Attempts

Agent type cases are used by fraud investigators to do the following: ■ Collect investigation findings for audit including which investigators have worked on a case ■ Manage the lifecycle of an investigation including severity, status, ownership changes, time to resolution, droppedlost cases and resolution ■ Feed back closed findings into the risk engine to improve accuracy of future evaluations automatically ■ Export findings to Excel for external records or processes A fraud investigator can quickly view the data involved in an incident and quickly locate related situations by easily harnessing the complex data relationships captured by OAAM. Search and detail pages provide fraud investigators the ability to: ■ Drill into individual sessions to see the exact chain of events that led to an alert ■ View and search for complex relationships between different data types ■ Whiteblack list entities on the fly without leaving the investigation flow This feeds back into risk evaluation. For example, a high risk device group. ■ Link session data to a case to further narrow the investigation A security administrator configures an action to create an Agent cases when specific rules trigger. These autocreated cases require a review of the transaction. The details pages contain the information needed by the investigator in order to accomplish this task. An example workflow is shown below for an autocreated case. 5-24 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager Search for New Autocreated Agent Cases John is a fraud investigator for the bank. John searches for new Agent cases dynamically created as a result of blocked access requests. Best Practice : Filter the time-stamp column so the oldest case is on top. Figure 5–5 Searching for New Autocreated Agent Case Review the Generated Alerts John opens case 109 the oldest case in the listing to start working on it. Automatically the case status changes from New to Pending and the current case owner becomes John. Other investigators can now see that this case is actively being worked since the case has an owner, John, and the status is not new, but pending. When case 109 was automatically created the session which was blocked was linked to the case so all the session data is captured and ready for review. This includes a full set of the alerts triggered in the session. This example show a session in which five different alerts were triggered. John can easily read the alert messages to understand what was going on in this situation. The highest alert was generated because the access attempt was from an IP known to be an anonymizing proxy. The bank security policy restricts banking while utilizing an anonymizing proxy as they are often used by criminals to hide their true geographic location. Investigation Using Agent Cases 5-25 Figure 5–6 Reviewing Alerts Review User Accounts Used From High Risk IP Address John clicks the IP address to drill in on the location to investigate further. Note Table 5–6, Log Search Filters shows the most severe alert as one that concerns an IP address an anonymizing proxy. This opens the IP address details screen in an adjacent user interface tab. John selects the users tab to see what user accounts have been utilized from this high risk IP address. He can see that there are four different bank users potentially affected by the activity originating from this location.