Configuring a Risky IP Use Case in Oracle Adaptive Risk Management

Introduction

This tutorial shows you how to configure a risky IP use case in Oracle Adaptive Risk Management (OARM).

This tutorial considers a scenario where the Administrator wants to configure IP addresses that are considered as risky for the organization. This use case is achieved by using the Block based on Risky IP out-of-the-box rule. The default rule behavior blocks a user if their request originates from an IP address previously flagged as risky. In this use case, you will configure the rule to present a risk-based challenge to the user and generate an alert when the user activity originates from an IP address that is marked as risky IP by the security team. The Administrator can monitor alerts, actions, rules, and other user-related information through the User Session dashboard.

Objectives

In this tutorial you will perform the following tasks:

• Configure risky IP using the Block based on Risky IP out-of-the-box rule.
• Test the Risky IP rule.
• Monitor the user session.
• Validate the Risky IP rule.

Prerequisites

Before starting this tutorial you must follow:

• A running Oracle Advanced Authentication (OAA) and OARM instance. For instructions on how to install OAA and OARM, see Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management.
• Follow the tutorial Integrate Oracle Access Management with Oracle Advanced Authentication.

Configure a Risky IP Use Case in OARM

1. Log in to the OARM Administration console. You are redirected to the OAM login page as the console is protected by OAM OAuth. Specify your credentials and login.

2. Click the Application Navigation hamburger menu on top-left and click Adaptive Risk Management. The User Activity dashboard appears.

3. From the User Authentication tile, click the Rules link. The User Activity rules page appears.

4. In the search pane, enter the relevant text to filter all the rules available out-of-the-box to configure risky IP, for instance, risky ip. Block based on Risky IP rule appears that you need to configure for this use case.

5. Click the Edit icon against the Block based on Risky IP rule.

   Note: The Block based on Risky IP out-of-the-box rule has a condition associated with it that evaluates the risky IP address.

6. From the Select Action list, select the Challenge option. Confirm that the Select Alert list is pre-populated with the Risky IP option.

   Note: You can configure action and alert as per your requirement. For instance, if the access request is from an IP address that is considered risky and you want to challenge the user, then you can configure the action as Challenge.

7. Click the Edit Risky IPs link below the IP Group drop-down list, where the Risky IPs option is selected, to add the IP addresses identified as risky.

   Note: For the convenience of the Administrator, Risky IPs group is provided out-of-the-box.

8. Click Save and Proceed. The Edit Group page appears.

9. Perform the following steps to configure the Risky IPs group:

   • Click Add IPs.

   • In the Value field, enter the IP address identified as risky. For demonstration consider the IP address, 10.213.232.164.

   • Click Add. The following figure displays the IP address added to the Risky IPs group.

   • Repeat steps 10a to 10c to add all the identified risky IP addresses to the group.

10. Click Save to save the group. You are redirected to the Edit rule page.

11. Click Save to save the rule. You are redirected to the User Activity rules page.

Now, during the authentication flow when this rule is executed the condition associated with the Risky IP out-of-the-box rule is evaluated. If this condition is evaluated to True , then the rule is triggered. In turn, the user is presented the challenge based on the factors configured.

Test the Risky IP Rule

In this section you access the protected application, log in to OARM and test how the Risky IP rule works.

1. Launch a browser and access the protected application, for instance http://oam.example.com:7777/mybank. As this application is protected you should be redirected to the OAM login page. Log in as the new user user2/<password>.

   

2. If the login is successful you will be redirected to the OAA endpoint, for example https://oaa.example.com/oaa/authnui. Internally OAA passes this request to OARM, which triggers the Risky IP rule that is set to Challenge and the challenge page is presented for the user.

   

3. You will be redirected to the Email page where you are asked to Enter OTP from the registered email device. In the Enter OTP field enter the one-time passcode that is emailed to the users email address and click Verify.

   

4. If the authentication is successful you should be redirected to the protected application page, for instance /mybank.

   

Monitor the User Session

1. Launch a new browser.

2. Log in to the OARM Administration console. You are redirected to the OAM login page, as the console is protected by OAM OAuth. Specify your credentials and login.

3. Click the Application Navigation hamburger menu on top-left, and click Monitor User Sessions. The User Sessions dashboard appears.

4. Click Include Successful Sessions toggle button to display the list of successful logins. You will notice user2 login details with the same IP address that was configured risky.

   

5. Click the link under Session ID for this user, for instance 50014. The User Sessions - 50014 page appears.

6. On the User Authentication pane, click Alerts to view the message triggered by the Alert to the Administrator.

   

Validate the Working of Risky IP Rule

In this section, you will validate if the Risky IP rule is working accurately. To establish the accuracy, login to the same banking application with a different IP address using a different user. You can also use the same user with a different IP address.

1. Launch a browser and access the protected application, for instance http://oam.example.com:7777/mybank. Log in as the new user user3/<password> with a different IP address.

   

2. The authentication is successful and the user is redirected to the protected application page, for instance /mybank. Note: The user is allowed to access the protected application, and is not presented the challenge. This is because the Risky IP rule was triggered, but it could not locate the IP address in the Risky IP group.

3. Open a new browser tab and log in to the OARM Administration console. Specify your credentials and login.

4. Click the Application Navigation hamburger menu on top-left, and click Monitor User Sessions. The User Sessions dashboard appears.

5. Click Include Successful Sessions toggle button to display the list of successful logins. You will notice user3 login details.

6. Click the link under Session ID for this user, for instance 50015. The User Sessions - 50015 page appears.

7. Click Rules. You will observe no rule was triggered as the condition was not met.

   

Learn More

• Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
• Oracle Fusion Middleware Help Reference for Oracle Advanced Authentication Admin Console

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com

Acknowledgements

• Author - Devanshi Mohan

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.