|Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)
Part Number E14568-02
It contains a forensic record of the session, including transactions and checkpoints that ran. Each checkpoint contains lists of triggered actions and alerts as well as the policies and rules. General session data points are also listed on this page, such as user, device, location, and others.
A Session Details page displays an overview of the events that transpired during a particular session for fraud analysis.
This chapter includes the following topics:
Before you can view transactions in the Session Details page, you must set the property to show transactions to true.
Setting the property to
false turns off the display for transactions.
Log in to OAAM Admin as an investigator.
In the Navigation tree, double-click Sessions. The Sessions Search page is displayed.
Alternatively, you can open the Sessions Search page by:
Right-clicking Sessions in the Navigation tree and selecting List Sessions from the context menu.
Selecting Sessions in the Navigation tree and then choosing List Sessions from the Actions menu.
Clicking the List Sessions button in the Navigation tree toolbar.
Search for the session by the details you are interested in.
The filters are:
For example, you can search through sessions in the last 12 hours with High alerts and a Blocked or Locked authentication status (sessions filtered by Time, Alert Level and Action).
To go to the Session Details page:
In the Search Results table, click the Session ID of the session you are interested in. The Session Details page for that session is displayed.
All of the actions are captured in one session. You can view the actions the user performed during the session time.
After you know the details and whereabouts of the user, you would want to know the different checkpoints you ran.
In the Session Details page, click the Checkpoint tab to see the Device Identification, Pre-Authentication, and Post-Authentication details.
The Session ID is displayed on the tab label.The tab label shows the session ID to identify the session you are working with.
The Session Details page contains several panels. Except for the Session Details and Login Details panels, all other panels are displayed in the order of execution. All panels are collapsible. The main panels like checkpoints and transactions have multiple subpanels. Panel are not displayed if information is not available. For example, if there are no configurable actions for that session, the configuration actions panel is not be displayed.
The top most panel, the Session Details panel, contains all the general information related to that session, such as the request ID, session ID, device score, Organization ID, and location.
The next panel after the Session Details panel is the Login Details panel.
The Login panel shows all the related information regarding the login (transaction). It shows the status, authentication status, IP address from which the user logged in, username, user ID, cookie information, autolearning processing status, and the login time.
The next panel is for checkpoint #1. Other checkpoint panels follow.
By default, checkpoint panels are collapsed. In the initial opened view, only the transactions and the final alerts are displayed in the expanded form. All other subpanels are collapsed. You can expand all the panels to view additional information for that checkpoint.
The first checkpoint panel could be one for Pre-Authentication. On top of the panel, the total amount of time taken for this checkpoint to execute, the final action, and the final risk score are shown.
Alerts that were triggered during the session for the checkpoint are displayed. High-level alerts are displayed in bold red.
All actions are displayed in the Actions panel with a separate column indicating whether or not the action is final. (The final action is also displayed in the top right section of checkpoint panel.)
A list of policies in that checkpoint are displayed in the Policies panel. The scoring engine information is not available for rules. Only the policy scoring engine is displayed. You can launch the Policy Explorer using the icon on top of the panel or from any of the icons within the table. The policy link displays the Policy Details page and the rules link displays the Rule Details page. Only active and triggered rules are displayed. Only active policies are displayed. You have the option to view all the rules in the Policy Explorer.
The transactions panel displays a list of transactions that were performed in this session along with their corresponding transaction ID, transaction data, and entity information. You can also view the actual transaction data and the entity attribute values used in the transactions. For example, you can view the transaction amount in the bill pay transaction. Information such as this is helpful for the forensics.
The Policy Explorer displays information about rules, conditions, trigger combinations, group linking, nested policies, and other items.
Details about the rule is shown in the Policy Explorer. The session results display the scores and results of that rule.
Pre-conditions for that rule is displayed in the details panel. The session results show the confidence factors and other values for the pre-conditions for that session.
The values for the condition parameters are displayed. The session results show if the conditions returned true for this session evaluation.
You have the option to view the triggered override combinations or view all overrides. Session results show the override information that was evaluated for this session including the nested policy information.
Group linking for the policy is displayed in the details panel.
This section describes example use cases for the Session Details page.
You are a member of the security team at Acme Corp. You work with Oracle Adaptive Access Manager on a regular basis, following up on escalated customer issues and security alerts. You perform a session search every couple hours throughout the day to identify any issues needing your attention and it is time to perform the next search. Directions: Search for sessions in the last 24 hours that have triggered high severity alerts and where access was blocked or locked.
To search sessions:
Log in to OAAM Admin as an investigator.
In the Navigation tree, double-click Sessions.
The Sessions Search page is displayed.
Search through sessions in the last 24 hours with high alerts and a blocked or locked authentication status
For Authentication Status, select Blocked and Locked.
For Login Time, select the date and time, 24 hours ago, and the current date and time.
For Alert Level, select High.
You see a session with a Blocked authentication status. This may be a case of stolen authentication credentials so you want to look into it. You open the details screen for this session to take a closer look at exactly what went on in this session. You see that the login had triggered a block. Phillip, the user, was dynamically added to a high risk users group because of this rule. Directions: Part A: Drill in on the policy that caused the block to see what rules triggered. Part B: You also want to see if this user has any CSR cases related to this lockout. Search the CSR cases and determine if Phillip called in for a temporary allow.
To view session details:
In the Sessions Search page, view the Search Results table.
You noticed that for Phillip, one of his sessions shows:
a "High alert" in the Alerts column. Clicking on the information icon, you see a velocity alert.
a "Blocked" status in the Authentication Status column.
Click the Session ID in the Search Results table to open the Session Details page.
In Login Details panel, the Authentication Status shows Blocked.
View the final outcomes of each checkpoint.
Click the Checkpoint panel.
Expand the checkpoints.
View the post-authentication checkpoints.
Expand the post-authentication policies.
Click the policy of interest to show details about the policy.
View the rules that are triggered.
View the final outcomes of the rules.
There are two final outcomes: the user is blocked and been added to a high risk group.
Because you want to see if Phillip has any CSR cases related to this lockout, search the CSR cases and determine if he called in to have his challenge questions reset.
In the Navigation tree, double-click Cases. The Cases Search page is displayed.
In Case Type, select CSR.
Enter Phillip's username into User Name field.
In Search Results table, look for Temporary Allow in the Last Action Type column.
Click the Case ID for the case that has Temporary Allow in the Last Action Type column.
In the Log subtab of the Case Details page, view notes.
The notes said he was traveling overseas when his wife asked him to look at their account online.
In 11g, the Session Details page has been redesigned.
Starting from 11g, key information regarding a session is contained on one screen rather than on different screens.
For example, in 10g, if you were on the Session Details page and wanted to know if a manual override existed in a policy, you would have to navigate away to another page.
The 11g Session Details page is better for forensics. For example, if you were analyzing a particular session, you would want all the details in one place. In 10g, values that were passed into a session are not available on the page. If a user were blocked during a transaction, and you were looking at the session, you would know the particular rule that was triggered and that the user was blocked when he was performing a transaction. However, you would not have the information about the amount that was passed in, the account number that was used in the transaction, and so on.
For example, in 10g, you would not know if there was a configurable action that added the user to a blacklisted group. Although you would know if Autolearning was turned on and what the processing status was, details would not be available about the pattern or the buckets that were updated.