| Oracle® Adaptive Access Manager Administrator's Guide Release 10g (10.1.4.5) Part Number E12055-03 |
|
|
View PDF |
| Oracle® Adaptive Access Manager Administrator's Guide Release 10g (10.1.4.5) Part Number E12055-03 |
|
|
View PDF |
Adaptive Risk Manager Online is the customer care, reporting and administration application for Oracle Adaptive Access Manager. It contains a comprehensive collection of reports on:
Users
Locations
Devices
Summaries
Security Alerts
Two types of reporting are available:
This chapter provides information on running queries, using Business Intelligence (BI) Publisher reports, example report scenarios, and best practices for creating reports.
This section contains the following topics:
You can query the database for information on many different activities by users, locations, devices, and security alerts.
To run a query on users
Click Users on the Queries menu.
The Queries page on user activity appears and defaults to the report on recent logins.
Enter the search criteria you want and click Run Query.
To change the query type, click in the Query Type box and select the query type you want:
Recent Logins: Displays all logins within the specified time range.
First Logins: Displays all users first login attempt occurring during the designated date range.
Invalid Logins: Displays all the login attempts from invalid users occurring during the designated date range.
Multiple Devices: Displays all users that use multiple devices.
Frequent Logins: Displays all users with multiple logins within the specified time range.
Multiple Failures: Displays all users with multiple failures within the specified time range
Frequent Logins: Displays all users with multiple logins within the specified time range.
To view the details page for Login ID, Group ID, Device ID, Location, or IP address, click the link in appropriate column.
Click Location on the Queries menu.
The Queries page on activity by location appears and defaults to the report on recent logins by location.
Enter the search criteria you want and click Run Query.
To change the query type, click in the Query Type box and select the query type you want.
Multiple Failures: Displays all locations with multiple failures within the specified time range.
Invalid Users: Displays all the locations with login attempts from invalid users occurring during the designated date range.
User Locations: Displays all locations a user has attempted logins from.
Multiple Users: Displays all locations that have multiple users.
Challenges: Displays success and failure rates of challenges by location.
Recent Logins: Displays all logins within the specified time range.
Users by Location: Displays all users from a given location or IP Address.
Frequent Logins: Displays all locations with multiple logins within the specified time range.
Multiple Successful Logins: Displays all locations with multiple successful logins.
Devices by Location: Displays all devices from a given location or IP Address.
Device Locations: Displays the locations for a specific device.
To view the details page for Login ID, Group ID, Device ID, Location, or IP address, click the link in appropriate column.
To schedule a report, see Scheduling a Report.
Click Device on the Queries menu.
The Queries page on activity by devices appears and defaults to the report on recent logins by location.
Enter the search criteria you want and click Run Query.
To change the query type, click in the Query Type box and select the query type you want.
Recent Logins: Displays all logins within the specified time range.
Frequent Logins: Displays all devices with multiple logins within the specified time range.
New Devices: Displays all new device IDs created within the specified time range.
Multiple Users: Displays all devices that have multiple users.
Multiple Successful Logins: Displays all devices with multiple successful logins.
Multiple Failures: Displays all devices with multiple failures within the specified time range.
Users by Device: Displays all users from a given device.
Devices by Users: Displays all devices for a given User.
Challenges: Displays statistics about device challenged within specified time range.
Invalid Users: Displays all the devices with login attempts from invalid users occurring during the designated date range.
To view the details page Login ID, Group ID, Device ID, Location, or IP address, click the link in appropriate column.
To schedule a report, see Scheduling a Report.
Click Summary on the Queries menu.
The query page on summaries appears and defaults to an aggregate summary of logins by date range.
To change the query type, click in the Query Type box and select the query type you want.
Logins: Displays login aggregate summary for the designated date range.
Averages: Displays average summary for the designated date range.
To change the start and end date of the search, click the calendar icons and select the From and To dates you want.
Click Run Query.
Click Security on the Queries menu.
The query page on security appears and defaults to the alerts report on low, medium, and high level alerts that were generated during the specified timeframe.
Enter the search criteria you want and click Run Query.
To specify a particular location, in the Location list, click the location you want.
To change the alert level, in the Alert Level list, click the level you want.
To change the alert type, in the Alert Type list, click the type you want.
To find a specific alert, rule, user ID, or user name, type the search criteria in the appropriate field.
To change the query type, click in the Query Type box and select the query type you want.
Alerts: Displays all the alerts generated during the designated date range.
Alerts Breakdown: Displays alert breakdown summary for the designated date range.
Rules Breakdown: Displays rules breakdown summary for the designated date range.
Pre-authorization Scoring: Displays pre-authorization scoring summary for the designated date range.
Post-authorization Scoring: Displays post-auth scoring summary for the designated date range.
Score Combinations: Displays score combination summary for the designated date range.
To change the start and end date of the search, click the calendar icons and select the From and To dates you want.
To view the alert, session, or user details page, click the link you want in the report.
The Session Details page displays an overview of the events that transpired during a particular session including the rules that ran and the rules that were triggered, the risk scores and those actions and alerts that took place.
To view the details about a login session
On the User, Device, or Location report page, click the Session ID for the customer login you want.
The Session Details page appears.
In the top section of the Session Details page, Adaptive Risk Manager Online displays specific details about the session such as Session ID and User ID.
In the bottom area, at the default state, Adaptive Risk Manager Online displays the runtimes and a master list of the actions and alerts that were triggered at those runtimes.
To view details about the policies, click the plus sign to expand the section.
To view details about the user
On the Session Details page, click User Name.
The User Details page appears.
To view details about the user's primary user group
On the Session Details page, click User Groups.
The Group Details page appears.
The Group Details page displays information about the primary group in which the user belongs.
To view details about the device
On the Session Details page, click Device ID.
The Device Details page appears.
The top section of the Device Details page displays information about the device used to log in.
The bottom section of the page provides access to the groups, users, actions/rule, and logins associated with that device.
To view transactions that occurred during a session, click the Transaction Details link on the Sessions Details page. A list of transactions in chronological order is displayed. For each transaction, the Transaction ID, Transaction Type, and Time are shown.
To view details of a particular transaction, click the transaction ID. Details for that transaction will appear in the lower part of the page.
If the session has only one transaction, its details are shown by default.
If there are multiple transactions, details are shown for the last transaction on the list.
From the User Detail page you can view details about a user including a list of devices used by a user, the locations a user has logged in from, the alerts triggered by a user, the logins by a user, and the rules run on a user.
To view details about users
On the User, Device, or Location report page, click the User Name you want.
The User Details page appears.
Enter the search criteria you want and click Run Query.
To view a list of devices used by this user
On the User Details page, click the Devices tab.
The list of devices appears.
Enter the search criteria you want and click Run Query.
To view a list of locations this user has logged in from
On the User Details page, click the Location tab.
The list of locations appears.
Enter the search criteria you want and click Run Query.
To view a list of alerts triggered by a user
On the User Details page, click the Alerts tab.
The list of alerts appears.
To search for alerts, enter the search criteria you want and then click Run Query.
To view a list of logins by this user
On the User Details page, click the Logins tab.
The list of logins appears.
Enter the search criteria you want and click Run Query.
To view a list of rules run on this user
On the User Details page, click the Rules tab.
The list of rules appears.
Enter the search criteria you want and click run Query.
The Device ID page provides information about the device used to login and cross-references information about the device including groups, users, locations, alerts and rules, and logins.
To view a list of groups this device belongs to
On the Device Details page, click the Group tab.
The list of groups appears.
Enter the search criteria you want and click Run Query.
To view a list of users that have used this device
On the Device Details page, click the Users tab.
The list of users appears.
Enter the search criteria you want and click Run Query.
To view a list of locations from which a device has logged in
On the Device Details page, click the Locations tab.
The list of locations appears.
Enter the search criteria you want and click Run Query.
To view a list of alerts and rules triggered by this device
On the Device Details page, click the Alerts/Rules tab.
The list of alerts and rules appears.
Enter the search criteria you want and click Run Query.
To view a list of logins by this device
On the Device Details page, click the Logins tab.
The list of logins appears.
Enter the search criteria you want and click Run Query.
To view the details about a location group
On the User, Device, or Location report page, click the Location for the customer login you want.
Or,
On the Dashboard page, click the information icon next to the item you want.
The Location Details page appears.
Enter the search criteria you want and click Run Query.
To view details about users from this location
On the Location Details page, click the Users tab.
The list of users appears.
Enter the search criteria you want and click Run Query.
To view a list of devices in this location
On the Location Details page, click the Devices tab.
The list of devices appears.
Enter the search criteria you want and click Run Query.
To view a list of alerts and rules triggered from this location
On the Location Details page, click the Alerts/Rules tab.
The list of alerts and rules appears.
Enter the search criteria you want and click Run Query.
To view a list of logins from this location
On the Location Details page, click the Logins tab.
The list of logins appears.
Enter the search criteria you want and click Run Query.
To view details about the groups in which the IP is included
On the User, Device, or Location report page, click IP Address.
A list of groups that include the IP is displayed.
Enter the search criteria you want and click Run Query.
To view details about the users associated with the IP address
On the IP Details page, click the Users tab.
A list of users who have used the IP is displayed.
Enter the search criteria you want and click Run Query.
To view details about the devices associated with the IP address
On the IP Details page, click the Devices tab.
A list of devices with the IP address is displayed.
Enter the search criteria you want, and click Run Query.
To view details about the alerts/rules associated with the IP address
On the IP Details page, click the Alerts/Rules tab.
A list of alerts/rules associated linked to the IP is displayed.
Enter the search criteria you want and click Run Query.
To view details about the logins associated with the IP address
On the IP Details page, click the Logins tab.
A list of logins made from the included IPs is displayed.
Enter the search criteria you want and click Run Query.
You can view statistics on question registration and challenge questions.
To view statistics about question registration
Click KBA on the Queries menu.
The KBA Registration page appears.
The report displays the number of users that performed each of the actions listed in the Item column and the percentage rate of successful challenges.
To locate the reports you want, enter the search criteria and then click Submit Query.
To filter the list by primary authenticator for accounts, click in the Client Type box and select the authenticator you want.
To Filter the list by the application ID of users, click in the Click in the Application ID box and select the ID you want.
To filter the list by date range, click the calendar icons and select the From and To dates.
To view statistics about challenge responses
Click ASA on the Queries menu.
The ASA Challenge Response page appears.
The report displays the number of users that performed each of the actions listed in the Item column and the percentage of customers that responded to each question.
To locate the reports you want, enter the search criteria and then click Submit Query.
To filter the list by primary authenticator for accounts, click in the Client Type box and select the authenticator you want.
To Filter the list by the application ID of users, click in the Click in the Application ID box and select the ID you want.
To filter the list by date range, click the calendar icons and select the From and To dates.
To view statistics about each challenge question
Click ASA on the Queries menu.
The ASA Registration page appears.
The report displays the number of users that performed each of the actions listed in the Item column and the percentage of challenged customers.
To locate the reports you want, enter the search criteria and then click Submit Query.
To filter the list by question category, click in the Category box and select the category you want.
To filter out all questions containing a specific word, enter the word in the Question Keyword field.
To filter the list by status, select the status you want from the status list.
To filter the list by date range, click the calendar icons and select the From and To dates.
Oracle Identity Management Business Intelligence (BI) Publisher Reports enables you to use Oracle BI Publisher as the reporting solution for Oracle Identity Management products including Oracle Adaptive Access Manager.
Oracle Identity Management BI Publisher Reports uses Oracle BI Publisher to query and report on information in Oracle Identity Management product databases. With minimal setup, Oracle Identity Management BI Publisher Reports provides a common method to create, manage, and deliver Oracle Identity Management reports.
The report templates included in Oracle Identity Management BI Publisher Reports are standard Oracle BI Publisher templates—though you can customize each template to change its look and feel. If schema definitions for an Oracle Identity Management product are available, you can use that information to modify and generate your own custom reports.
The Oracle Business Intelligence Publisher Administrator's Guide explains how to use BI Publisher to create reports for Oracle Adaptive Access Manager. You can access the Oracle Business Intelligence Publisher Administrator's Guide by searching for it on the Oracle Technology Network Web site.
The Oracle Business Intelligence Publisher Documentation Library is available on the Oracle Technology Network Web site. You can access the Oracle Technology Network Web site at: http://www.oracle.com/technology/index.html.
Oracle Adaptive Risk Manager Oracle reports are customizeable with Oracle Business Intelligence (BI) Publisher.
For information on configuring a report, see Chapter 10 of the Oracle Business Intelligence User's Guide. You can access the Oracle Technology Network Web site at: http://www.oracle.com/technology/index.html.
You can create new reports for use with Oracle Adaptive Access Manager. Before creating a report, read the Oracle Business Intelligence Publisher User's Guide to learn how to create a report, set up a data template, export sample data, and create an RTF template using the MS Word plugin.
To create a new report:
Create two data models for the report.
The model will be a File type Data Source named Properties. The Data Source will be AdminProperties, and the File Name will be properties.xml. The second will be a Data Template type Data Source.
On the top level of the Data Model branch in the report editor, select "Concatenated SQL Data Source" as the Main Data Set, and make sure the "Make row names unique" check box is checked.
To put hyperlinks in an RTF template, use the bharosa-server-url property.
For example, if the link in FA is http://bb-beta.hyperion.com/fauio/countryDetail.do?countryId=1, then the hyperlink in the RTF template should be {/DATA/Properties/propertyList/bharosa-server-url}countryDetail.do?country={COUNTRY_ID}, assuming COUNTRY_ID is the name of the output field in the data template.
If a report needs additional configuration-type properties like bharosa-server-url, they can be added to the properties.xml file. Add the new properties at the same level as <bharosa-server-url>, that is, as a child of <propertyList>. You can access the new property in the RTF template as <?/DATA/Properties/propertyList/your-property-name?>.
To view a report, click the View link for the report.
Formats
To change the output type, select the output type from the list and select View.
HTML
RTF
Excel
Excel2000
PowerPoint
MHTML
CSV
Data
Export
Select Export to export the report to the default application for its output type (for example: Adobe Acrobat for PDF output or Microsoft Excel for excel output).
Send
Select the Send to choose email as your delivery method. Then, enter the email addresses to send the output to.
Range
Select the range in which you want to view the data:
Last 1 day
Last 7 days
Last 30 days
You can schedule a report to run on a particular day and time in the future or immediately, once, daily/weekly, or monthly. If you want, you can choose to be notify by email when the report completes or fails.
To schedule a report:
Select the report.
Select the Schedule link.
Click Schedule a New Job.
Set the report parameters
From Date and To Date
Format - the output format.
Monitor Type
Set the job properties:
Job Name - a name for your report run.
Report Formatting Locale
Report Formatting Time Zone
Report Formatting Calendar
Public - select this check box to make this job available to all users with access to the report.
Save data for Republish - select this check box if you want the XML data from the report run saved.
Save Output - select this check box if you want the report output saved.
Use Unicode (UTF8)
In the Notification section, select when you want to be notified and if you want to use email as your notification channel. If you choose email, a field appears for you to provide an email address.
Enter the Time criteria.
Run Immediately
Run Once
Run Daily/Weekly
Run Monthly
Select Email in the Delivery section if you want the report sent by email.
Click Submit.
The following are some example reporting scenarios that may be used to investigate possible fraud. The exact reporting practices used by each institution may differ based on company policies. If a separate reporting database is not being used, great care must be taken when running reports on a live production system. All but the narrowest queries should be scheduled to run during off hours in this case.
One useful strategy is to schedule a general alert based report for each application on a nightly basis. Any suspicious activity should be further investigated using narrow queries and detail screens. Specific queries used for targeted investigation can be found in the query types menus under each of the three query families (User, Location, Device).
User/Recent logins - Schedule this report to run with the following parameters
Check Alert Level - ALERT_MEDIUM & ALERT_HIGH
Primary Group Id - The user group associated to the application
Scheduled Report
Frequency - Day
Range - Last 24 hours
Example Scenario 1
Nightly the User/Recent logins report is scheduled to run for the last 24 hours. One day the report shows several "Multiple failures from the device" alerts. The investigator could run a narrow query then view detail screens to gain more information. To see if the behavior that triggered the rule has been happening with a wider threshold further targeted reports could be scheduled for the next night.
Run this narrow query with one of the specific session IDs in which the "Multiple failures from the device" alert was triggered. This session ID is the first number shown in each session listing in the general nightly report that was scheduled.
After running the narrow recent logins query the details screens associated with the login session can be viewed. These detail screens have a wealth of information collected by Adaptive Risk Manager that can be used in an investigation. For example, customers attempting logins from the suspect device can be seen on the device details screen under the users tab. If desired, action outside of Fraud Analyzer can be taken to investigate these customers for more information. For example, customers could be called to see if they have been experiencing problems accessing their account. Action from here should be guided by your institution's policies.
A targeted report could be scheduled to run in response to the activity seen in the general report if a deeper look into the data is desired. Schedule this targeted report with the threshold values a bit higher than the specific rule that was triggered the previous day. The session details screen for each session ID will show what rules were triggered and there are links to the model edit screen where the exact thresholds of the rules can be seen. Any devices with exceptionally high numbers of failures should be looked into using their device details screens. Here are some example values that could be used.
Min No. Of Login Failures - 15
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
Example Scenario 2
Nightly the User/Recent logins report is scheduled to run for the last 24 hours. One day the report shows a "Login from restricted country" alert. The investigator could run a narrow query then view detail screens to gain more information. To see if the behavior that triggered the rule has been happening with a wider threshold further targeted reports could be scheduled for the next night.
Run this narrow query with the specific session ID in which the "Login from restricted country" alert was triggered. This session ID is the first number shown in each session listing in the general nightly report that was scheduled.
After running the narrow recent logins query the details screens associated with the login session can be viewed. These detail screens have a wealth of information collected by Adaptive Risk Manager that can be used in an investigation. For example, customers attempting logins from the suspect countries can be seen on the location details screen under the users tab. If desired, action outside of Fraud Analyzer can be taken to investigate these customers for more information. For example, customers could be called to see if they have been accessing their accounts from outside of the USA. Action from here should be guided by your institution's policies.
A targeted report could be scheduled to run in response to the activity seen in the general report if a deeper look into a single location is desired. Schedule this targeted report with a specific IP or geographic location. Any users found to be attempting logins from restricted cou8ntries should be looked into. Here are some example values that could be used.
Country Name X
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
Similar to the analysis processes above, other reports can be used to investigate specific situations. Here are some more examples of useful reports to run after viewing the following alerts.
If the "Multiple Logins from IP" alert is triggered, run Location - Multiple Users report to see if there were any IPs recently that had a high number of users.
If the "Multiple users are using the same device in short time frame" alert is triggered, run Device - Multiple Users report to see if there were any devices recently that had a high number of users with specific IP or geographic location parameters.
If the "Login from restricted device" alert is triggered, run the Device - Users by Device report which will show the users that used a restricted device to login.
Specific IP or a Geographic location
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
If the "Login from restricted device" alert is seen in a nightly report this targeted report could be run the next night. This report will show the users that used a restricted device to login. Here are some example values that could be used.
Device Group - Restricted Devices
Group Id - Default user group for the application
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
| Customer Statistic | Reports | Directions | Notes |
|---|---|---|---|
| identify Kiosk/public machines | Device/Multiple Users | Turn up minimum number of users to an exceptional level to detect devices with extremely high numbers of users. | |
| How many incorrect usernames are entered per month? | User/Invalid Logins | Set min number of attempts to 1 and the time range to a month | |
| Identify users that use a very high number of computers to login | User/Multiple Devices | Turn up minimum number of devices to an exceptional level to detect users with high numbers of devices. | The customer profile rules could be adjusted if it is discovered that the majority of users use more than the maximum allowed devices |
| Identify new online users | User/First Login | ||
| User/Frequent Logins | |||
| Identify the number of users having problems logging in | User/Multiple Failures | Set min number of attempts to a low number like 3 and the time range to one month | This will give a general idea of the difficulty users are having successfully logging in. However, hacker activity can skew these numbers |
| Hacker Issues | Reports | Notes | |
|---|---|---|---|
| Brute Force | |||
| locate possible brute force attacks | Device/Multiple Failures | Turn up minimum number of failures to an exceptional level to detect devices failing to login an abusive number of times. | |
| User/Multiple Failures | Turn up minimum number of failures to an exceptional level to detect users failing to login an abusive number of times. | ||
| Location/Multiple Failures | Select a location and increase minimum number of failures to an exceptional amount. | ||
| User/Multiple Devices | Turn up minimum number of devices to an exceptional level. | ||
| Location/Invalid Users | Turn up minimum number of attempts to an exceptional level. |
|
 Copyright © 2008, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
