This chapter describes how to configure reporting and how to view Oracle Adaptive Access Manager reports. It contains these topics:
When your data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher (BI Publisher) reports and create your own reports on the data. This section contains these topics about configuring your environment for reports:
Installing Oracle Adaptive Access Manager BI Publisher Reports
Configuring Oracle Adaptive Access Manager BI Publisher Reports
If you do not have Oracle BI Publisher installed, you must install it. Follow the instructions provided at:
This section explains how to install BI Publisher Reports. You must install Oracle BI Publisher and verify it is operational before installing the BI Publisher Reports. Refer to the Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management for more information.
Perform the following steps to install the reports:
Download the Oracle Adaptive Access Manager package to your Oracle BI Publisher server. The reports package is available on the Oracle Technology Network web site. You can access the Oracle Technology Network web site at:
Unzip the package to a temporary location on your Oracle BI Publisher server. For example:
/tmp/OAAM Reports/
Stop the Oracle BI Publisher server. Refer to Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management if you need more information.
Recursively copy the /OAAM Reports/Oracle Identity Management Reports/ directory to the /Oracle_BI_Publisher_home/xmlp/XMLP/Reports/ directory on your Oracle BI Publisher server. After performing this step, you should have the following directory on your Oracle BI Publisher server:
/Oracle_BI_Publisher_home/xmlp/XMLP/Reports/Oracle Identity Management Reports/OAAM/
Copy the properties.xml file to any directory in Oracle BI Publisher server's file system.
Start the Oracle BI Publisher server. Refer to the Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management if you need more information.
Perform the following steps to configure the Oracle Adaptive Access Manager reports:
Configure the JDBC Data Source for Oracle Adaptive Access Manager by performing the following steps:
Log in to Oracle BI Publisher from a web browser as an Administrator. Refer to Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management if you need more information.
Click the Admin tab, then click JDBC Connection under Data Source, and then click the Add Data Source button. The Add Data Source screen appears.
Enter the following information in the fields on the Add Data Source screen. Replace the variable values in the following examples with the actual values for your Oracle Adaptive Access Manager database.
| Field | Data to Enter |
|---|---|
| Data Source Name | ARM
For the Oracle Adaptive Access Manager reports to work out-of-the-box, the JDBC data source must be named as "ARM". If you choose a different name, you must modify the data source property in all reports. |
| Connection String | jdbc:oracle:thin:@host:port:sid |
| Username | Username for a database schema user that has access to Oracle Adaptive Access Manager. |
| Password | Password for user identified in the Username field. |
| Database Driver Class | oracle.jdbc.driver.OracleDriver |
Configure AdminProperties Data Source for Oracle Adaptive Access Manager by performing Steps a and b. The AdminProperties contains configuration information that Oracle Adaptive Access Manager will need to read when generating the reports.
Click the Admin tab, then click File under Data Source, and then click the Add Data Source button. The Add Data Source screen appears.
Enter the following information in the fields on the Add Data Source screen:
| Field | Data to Enter |
|---|---|
| Data Source Name | AdminProperties
You must name this Data Source |
| Full Path of Top-level Directory | Path must be the directory where we placed properties.xml. |
The configuration for Oracle Adaptive Access Manager reports is complete. Refer to Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management to generate reports for Oracle Adaptive Access Manager.
Perform the following steps to test whether the configuration of the Oracle Adaptive Access Manager reports has been successful:
Log in to Oracle BI Publisher using a URL of the form:
http://host.domain.com:port/xmlpserver/
On the main page, click OAAM under Shared Folders and then oradb.
The Oracle Adaptive Access Manager reports are now available.
Select any report.
Select any output type and click the View button.
This section explains how to view/run reports.
Take these steps to view/run a report:
Log in to Oracle BI Publisher using a URL of the form:
http://host.domain.com:port/xmlpserver/
On the main page, click OAAM under Shared Folders and then oradb.
Navigate to the report of interest.
The report is displayed.
The report display page contains these major areas:
Filters at the top of the page enable you to determine the records to include in the report.
Format control buttons enable you to determine:
the template type, which can be:
HTML - This is the default display format.
PDF - Displays a printable PDF view.
RTF - Displays a document in Rich Text Format.
Excel2000 - Displays a spreadsheet.
Data - Displays an unformatted XML data set.
To change the template type while viewing a report, select the type from the list and click View.
output format
delivery options
range in which to view the data
View, save or export the report as desired.
Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.
You can schedule a report to run on a particular day and time in the future or immediately, once, daily/weekly, or monthly. If you want, you can choose to be notify by email when the report completes or fails.
Perform the following steps to schedule a report:
Click the report's Schedule button.
Set the report parameters:
From Date and To Date
Format - the output format.
Monitor Type
Set the job properties:
Job Name - a name for your report run.
Report Formatting Locale
Report Formatting Time Zone
Report Formatting Calendar
Public - select this checkbox to make this job available to all users with access to the report.
Save data for Republish - select this checkbox if you want the XML data from the report run saved.
Save Output - select this checkbox if you want the report output saved.
Use Unicode (UTF8)
In the Notification section, select when you want to be notified and if you want to use email as your notification channel. If you choose email, a field appears for you to provide an email address.
Enter the Time criteria.
Run Immediately
Run Once
Run Daily/Weekly
Run Monthly
Select Email in the Delivery section if you want the report sent by email.
Click Submit.
The following are some example reporting scenarios. The exact reporting practices used by each institution may differ based on company policies. If a separate reporting database is not being used, great care must be taken when running reports on a live production system. All but the narrowest queries should be scheduled to run during off hours in this case.
One useful strategy is to schedule a general alert based report for each application on a nightly basis. Any suspicious activity should be further investigated using narrow queries and detail screens. Specific queries used for targeted investigation can be found in the query types menus under each of the three query families (User, Location, Device).
User/Recent logins - Schedule this report to run with the following parameters
Check Alert Level - ALERT_MEDIUM and ALERT_HIGH
Organization ID- The user group associated to the application
Scheduled Report
Frequency - Day
Range - Last 24 hours
Nightly the User/Recent logins report is scheduled to run for the last 24 hours. One day the report shows several "Multiple failures from the device" alerts. The investigator could run a narrow query then view detail screens to gain more information. To see if the behavior that triggered the rule has been happening with a wider threshold further targeted reports could be scheduled for the next night.
Run this narrow query with one of the specific session IDs in which the "Multiple failures from the device" alert was triggered. This session ID is the first number shown in each session listing in the general nightly report that was scheduled.
After running the narrow recent logins query the details screens associated with the login session can be viewed. These detail screens have a wealth of information collected by Oracle Adaptive Access Manager that can be used in an investigation. For example, customers attempting logins from the suspect device can be seen on the device details screen under the users tab. If desired, action outside of Fraud Analyzer can be taken to investigate these customers for more information. For example, customers could be called to see if they have been experiencing problems accessing their account. Action from here should be guided by your institution's policies.
A targeted report could be scheduled to run in response to the activity seen in the general report if a deeper look into the data is desired. Schedule this targeted report with the threshold values a bit higher than the specific rule that was triggered the previous day. The session details screen for each session ID will show what rules were triggered and there are links to the model edit screen where the exact thresholds of the rules can be seen. Any devices with exceptionally high numbers of failures should be looked into using their device details screens. Some example values are listed as follows:
Min No. Of Login Failures - 15
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
Nightly the User/Recent logins report is scheduled to run for the last 24 hours. One day the report shows a "Login from restricted country" alert. The investigator could run a narrow query then view detail screens to gain more information. To see if the behavior that triggered the rule has been happening with a wider threshold further targeted reports could be scheduled for the next night.
Run this narrow query with the specific session ID in which the "Login from restricted country" alert was triggered. This session ID is the first number shown in each session listing in the general nightly report that was scheduled.
After running the narrow recent logins query the details screens associated with the login session can be viewed. These detail screens have a wealth of information collected by Oracle Adaptive Access Manager that can be used in an investigation. For example, customers attempting logins from the suspect countries can be seen on the location details screen under the users tab. If desired, action outside of Fraud Analyzer can be taken to investigate these customers for more information. For example, customers could be called to see if they have been accessing their accounts from outside of the USA. Action from here should be guided by your institution's policies.
A targeted report could be scheduled to run in response to the activity seen in the general report if a deeper look into a single location is desired. Schedule this targeted report with a specific IP or geographic location. Any users found to be attempting logins from restricted cou8ntries should be looked into. Here are some example values that could be used.
Country Name X
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
Similar to the analysis processes earlier, other reports can be used to investigate specific situations. Here are some more examples of useful reports to run after viewing the following alerts.
If the "Multiple Logins from IP" alert is triggered, run Location - Multiple Users report to see if there were any IPs recently that had a high number of users.
If the "Multiple users are using the same device in short time frame" alert is triggered, run Device - Multiple Users report to see if there were any devices recently that had a high number of users with specific IP or geographic location parameters.
If the "Login from restricted device" alert is triggered, run the Device - Users by Device report which will show the users that used a restricted device to log in.
Specific IP or a Geographic location
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
If the "Login from restricted device" alert is seen in a nightly report this targeted report could be run the next night. This report will show the users that used a restricted device to login. Here are some example values that could be used.
Device Group - Restricted Devices
Group ID - Default user group for the application
From and To Dates - a range corresponding to the last 48 hours
Scheduled Report
2 am
| Customer Statistic | Reports | Directions | Notes |
|---|---|---|---|
| identify Kiosk/public computers | Device/Multiple Users | Turn up minimum number of users to an exceptional level to detect devices with extremely high numbers of users. | |
| How many incorrect usernames are entered per month? | User/Invalid Logins | Set min number of attempts to 1 and the time range to a month | |
| Identify users that use a very high number of computers to log in | User/Multiple Devices | Turn up minimum number of devices to an exceptional level to detect users with high numbers of devices. | The customer profile rules could be adjusted if it is discovered that the majority of users use more than the maximum allowed devices |
| Identify new online users | User/First Login | ||
| User/Frequent Logins | |||
| Identify the number of users having problems logging in | User/Multiple Failures | Set min number of attempts to a low number like 3 and the time range to one month | This will give a general idea of the difficulty users are having successfully logging in. However, hacker activity can skew these numbers |
| Hacker Issues | Reports | Notes | |
|---|---|---|---|
| Brute Force | |||
| locate possible brute force attacks | Device/Multiple Failures | Turn up minimum number of failures to an exceptional level to detect devices failing to log in an abusive number of times. | |
| User/Multiple Failures | Turn up minimum number of failures to an exceptional level to detect users failing to log in an abusive number of times. | ||
| Location/Multiple Failures | Select a location and increase minimum number of failures to an exceptional amount. | ||
| User/Multiple Devices | Turn up minimum number of devices to an exceptional level. | ||
| Location/Invalid Users | Turn up minimum number of attempts to an exceptional level. |
The following section provides a scenario of how Oracle Adaptive Access Manager's reports are used.
You are Marty, a business analyst for Acme Corp. You have been asked to gather some aggregate data on the impact to customers by the Oracle Adaptive Access Manager security system.
Directions: Run the KBA challenge statistics report and rules aggregate breakdown report. Also run the recent logins report, filtering for sessions that resulted in a block. Run all the reports with XLS output so you can share the results with your business unit.
This use case demonstrates how to use BI Publisher reports.
Log in to the BI Publisher as an Analyst.
Select OAAM under Shared Folders.
Under oaam folder, select oradb.
Locate the report to run.
Under the Common folder, click RecentLogins to view the RecentLogins report.
Under the KBA folder, click ChallengeStatistics to view the Challenge Statistics report.
Under the KBA folder, click QuestionStatistics to view the QuestionStatistics report
Under the Security folder, click RulesBreakdown to view the RulesBreakdown report.
For the RecentLogins report, select Blocked in Auth Status as a search criteria.
Repeat the following steps for each report.
Click View.
In Template menu, select Excel2000 and click Export.