Configuring a Risky IP Use Case in Oracle Adaptive Risk Management

Introduction

This tutorial shows you how to configure a risky IP use case in Oracle Adaptive Risk Management (OARM).

This tutorial considers a scenario where the Administrator wants to configure IP addresses that are considered as risky for the organization. This use case is achieved by using the Challenge based on Risky IP out-of-the-box rule. The outcome of configuring this rule is to raise a risk-based challenge for the user and to generate an alert for the user activity for logins from the IP address that is considered as risky. The Administrator can monitor alerts, actions, rules, and other user-related information through the User Session dashboard.

Objectives

In this tutorial you will perform the following tasks:

• Configure risky IP using the Challenge based on Risky IP out-of-the-box rule.
• Test the Risky IP rule.
• Monitor the user session.
• Validate the Risky IP rule.

Prerequisites

Before starting this tutorial you must follow:

• A running Oracle Advanced Authentication (OAA) and OARM instance. For instructions on how to install OAA and OARM, see Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management.
• Follow the tutorial Integrate Oracle Access Management with Oracle Advanced Authentication.

Configure a Risky IP Use Case in OARM

1. Log in to the OARM Administration console. You are redirected to the OAM login page as the console is protected by OAM OAuth. Specify your credentials and login.

2. Click the Application Navigation hamburger menu on top-left and click Adaptive Risk Management. The User Activity dashboard appears.

3. From the User Authentication tile, click the Rules link. The User Activity rules display page appears.

4. In the search pane, enter the relevant text to filter all the rules available out-of-the-box to configure risky IP, for instance, risky ip. Challenge based on Risky IP rule appears that you need to configure for this use case.

5. Click the Edit icon against the Challenge based on Risky IP rule.

   Note: The Challenge based on Risky IP out-of-the-box rule has a condition associated with it that evaluates the risky IP address.

6. Verify that the Select Action and the Select Alert lists are pre-populated with Challenge and Risky IP options respectively.

   Note: You can configure action and alert as per your requirement. For instance, if the access request is from an IP address that is considered risky and you want to block the user, then you can configure the action as Block.

7. Add the risky IP addresses in a group. For the convenience of the Administrator, Risky IPs group is provided out-of-the-box.

8. Under IP Group, with Risky IPs option selected in the list, click the Edit Risky IPs link to add the IP addresses considered as risky.

9. Click Save and Proceed. The Edit Group page appears.

10. Perform the following steps to configure the Risky IPs group:

    • Click Add IPs.

    • In the Value field, enter the IP address. For demonstration consider the IP address, 10.213.232.164.

    • Click Add. The following figure displays the IP address added to the Risky IPs group.

      Description of the illustration edit-risky-ip.PNG

    • Repeat steps 10a to 10c to add the list of risky IP addresses in the group.

11. Click Save to save the group. You are redirected to the Edit rule page.

12. Click Save to save the rule. You are redirected to the User Activity rules page.

Now, during the authentication flow when this rule is executed the condition associated with the Risky IP out-of-the-box rule is evaluated. If this condition is evaluated to True , then the rule is triggered. In turn, the user is presented the challenge based on the factors configured.

Test the Risky IP Rule

In this section you access the protected application, log in to OARM and test how the Risky IP rule works.

1. Launch a browser and access the protected application, for instance http://oam.example.com:7777/mybank. As this application is protected you should be redirected to the OAM login page. Log in as the new user user2/<password>.

   

   Description of the illustration oamlogin.PNG

2. If the login is successful you will be redirected to the OAA endpoint, for example https://oaa.example.com/oaa/authnui. Internally OAA passes this request to OARM, which triggers the Risky IP rule that is set to Challenge and the challenge page is presented for the user.

   

   Description of the illustration challengechoice.PNG

3. You will be redirected to the Email page where you are asked to Enter OTP from the registered email device. In the Enter OTP field enter the one-time passcode that is emailed to the users email address and click Verify.

   

   Description of the illustration emailotp.PNG

4. If the authentication is successful you should be redirected to the protected application page, for instance /mybank.

   

   Description of the illustration mybank.PNG

Monitor the User Session

1. Launch a new browser.

2. Log in to the OARM Administration console. You are redirected to the OAM login page, as the console is protected by OAM OAuth. Specify your credentials and login.

3. Click the Application Navigation hamburger menu on top-left, and click Monitor User Sessions. The User Sessions dashboard appears.

4. Click Include Successful Sessions toggle button to display the list of successful logins. You will notice user2 login details with the same IP address that was configured risky.

   

   Description of the illustration user-session.PNG

5. Click the link under Session ID for this user, for instance 50014. The User Sessions - 50014 page appears.

6. On the User Authentication pane, click Alerts to view the message triggered by the Alert to the Administrator.

   

   Description of the illustration user-session-detail.PNG

Validate the Working of Risky IP Rule

In this section, you will validate if the Risky IP rule is working accurately. To establish the accuracy, login to the same banking application with a different IP address using a different user. You can also use the same user with a different IP address.

1. Launch a browser and access the protected application, for instance http://oam.example.com:7777/mybank. Log in as the new user user3/<password> with a different IP address.

   

   Description of the illustration new-user.PNG

2. The authentication is successful and the user is redirected to the protected application page, for instance /mybank. Note: The user is allowed to access the protected application, and is not presented the challenge. This is because the Risky IP rule was triggered, but it could not locate the IP address in the Risky IP group.

3. Open a new browser tab and log in to the OARM Administration console. Specify your credentials and login.

4. Click the Application Navigation hamburger menu on top-left, and click Monitor User Sessions. The User Sessions dashboard appears.

5. Click Include Successful Sessions toggle button to display the list of successful logins. You will notice user3 login details.

6. Click the link under Session ID for this user, for instance 50015. The User Sessions - 50015 page appears.

7. Click Rules. You will observe no rule was triggered as the condition was not met.

   

   Description of the illustration new-user-session.PNG

Learn More

• Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
• Oracle Fusion Middleware Help Reference for Oracle Advanced Authentication Admin Console

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com

Acknowledgements

• Author - Devanshi Mohan

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configuring a Risky IP Use Case in Oracle Adaptive Risk Management

F54549-02

March 2022

Copyright © 2022, Oracle and/or its affiliates.