Workday

Workday is a cloud-based enterprise resource planning (ERP) and human resource information system (HRIS), which allows organizations to analyze and manage their finances and human resources. By connecting Workday to InsightIDR as an event source, you can analyze event data pertaining to user activity and sign-on activity.

To set up Workday:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Workday to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

To use the Workday event source, you need to import Workday Custom Reports from the Solution Catalog and set up appropriate security.

Before you start the configuration: Read about Creating Integration Security System Groups in the Workday documentation at: https://doc.workday.com/admin-guide/en-us/authentication-and-security/configurable-security/security-groups/integration-security-groups/wvu1571267715376.html

Configure Workday to send data to InsightIDR

To allow InsightIDR to receive data from Workday, you must configure the settings in your Workday account to provide access to its user activity and sign-on activity data.

Task 1 - Import the Rapid7 Workday Solution

Login to a non-Preview Workday tenant with a user who has Security Administrator and Security Configurator access.

The easiest way to get the configuration setup in the Workday tenant is to use Workday’s Solution functionality to pull in the required configuration and make modifications from there.

Rapid7 has made a solution available to install the required Custom Report.

Prerequisites:

  • Workday User with Security
  • “PUT Solution”
  • Custom Report Administrator
  • Security Configurator
  • Security Administrator
  • Business Process Administrator
  • Non-Preview Workday Tenant
  • Solutions Enabled in the tenant

For more details on how to enable Solutions in your Workday tenant, visit the Workday documentation at: https://doc.workday.com/admin-guide/en-us/manage-workday/tenant-configuration/solutions/dan1370796663851.html.

To enable security for solutions:

  1. In Workday, access and run the Enable Solutions task, which sets up the necessary certificates in the Workday tenant to import solutions.

  2. Select Confirm and save.

To import the Rapid7 solution:

  1. In Workday, access and run the Browse Solutions task.

  2. Search for solution ID a53d75669349015e314c04326d090cc5 and click OK to confirm.

  3. The Rapid7 solution appears in a table. Click Import All.

  4. Select the solution to import and click OK.

  5. Optionally, if you wish to receive notifications when the Solution gets updated:

    • Select the Receive notifications check box. 

    • Select the tenant. We recommend using the Production tenant, so that tenant refreshes don’t clear the notification.

    • Type the username of the user who should receive the notification.

    • Click OK.

  6. Accept the Importing agreement. The import process will begin. You can click the Refresh button periodically, until the process completes.

Once the process is completed, click Review Import. This shows the objects that were imported as part of the solution. Two key objects are the Custom Reports for RPT Events and RPT Workers. Make sure that these are listed in the import.

Task 2 - Set up Workday Security

To create the Integration System User:

  1. In Workday, access the Create Integration System User task.

  2. Ensure that the Session Timeout Minutes value is set to 0.

  3. Give the account a name, such as ISU_Rapid7 and a complex password. Make sure to save this for later use. 

  4. Select the Do Not Allow UI Sessions check box.

  5. Click OK to save.

To prevent the password for the ISU from periodically expiring, you can add this user to the Password Expiration Exemption list. If you don’t configure this, you will have to periodically update the ISU password in Workday and in InsightIDR so that the credentials are always valid.

To add the Integration System User to the Password Expiration Exemption list:

  1. Access the Maintain Password Rules task.

  2. Select the username of your Integration System User to add them to the list and click OK.

Next, you will need to create the integration system security group and add security policies.

To create the Integration System Security Group:

  1. Access the Create Security Group task.

  2. Select Integration System Security Group (Unconstrained) and give it a meaningful name, such as ISSG Rapid7.

  3. Optionally, add a comment and select the Integration System User you created in the previous step.

  4. Click OK to save the Security Group. 

  5. In the security group view, click the Related Actions button (the icon looks like an ellipsis) and select Security Group > Maintain Domain Permissions for Security Group.

  6. In the modal, add these permissions: Permissions

  7. Click OK to save.

  8. Finally, run the Activate Pending Security Policy Changes task, so that the security changes take effect.

Reports are imported from the Solution Catalog without ownership so you need to transfer ownership and configure the sharing properties.

To transfer Custom Report Ownership:

  1. Access the Transfer Ownership of Custom Reports task.

  2. Search for and select your custom report.

  3. Assign the New Owner as the ISU account you created.

  4. Click the Related Actions button (ellipsis) and select Custom Report > Transfer Ownership.

With the report ownership transferred to the ISU, the ISU account can now access the REST API. However, to ensure the ISU account doesn’t lose access, share the report with security groups.

To modify the custom report sharing properties:

  1. Alongside the report, click the Related Actions button (ellipsis) and select Custom Report > Edit.

  2. Open the Share tab and select the Share with specific authorized groups and users option. 

  3. Select the InsightIDR security group and optionally add other Administrator groups that should have access to the reports (such as the HR Administrator).

  4. Click OK to save.

With the report ownership changed and shared appropriately, you can obtain the URL for the report so that you can add it in InsightIDR later.

To obtain the Custom Report URL:

  1. While viewing the Custom Report, click the Related Action button (ellipsis). 

  2. Select Web Service > View URLs. Then, click OK on the prompt screens.

  3. Scroll down and right click on the JSON Hyperlink and Copy and Save the URL. It will have a format similar to:

https://wd7-impl-services2.workday.com/ccx/service/customreport2///RPT\_Signons\_and\_Attempted\_Signons?format=json

Task 3 - Set up OAuth Authentication

All Workday environments come with access to the API by default. The recommended authentication method to use is OAuth. With this type of authentication, user identity is validated by Workday based on OAuth grant type. 

Use the 'API Client for Integrations' method, because it is the only OAuth flow that allows an expired access token to be refreshed, while not requiring the user to login. Follow the instructions in the Workday documentation at: Workday API Integrations

Here is some additional documentation on how to set up OAuth 2.0 for integrations in Workday:

Task 4 - Obtain your tenant URL and tenant name

To set up the cloud connection in InsightIDR, you must know your Workday tenant URL and tenant name.

To get your Workday tenant URL

  1. Log in to your Workday account and select the Workday Home tab. 

  2. Under the Personal section, select Profile

  3. Under the Account Information section, your Workday tenant URL is displayed. For example, it might look like https://www.myworkday.com.

To get your Workday tenant name:

Your Workday URL contains the tenant name. It is the text that follows the first slash. For example, in the URL www.myworkday.com/mycompany/d/home.htmld, the tenant name is mycompany.

Task 5 - Register an API Client for Integrations with a non-existing refresh token

Workday generates an API Client for Integrations with an Authorization Code Grant client grant type and a Bearer access token type.

Workday also generates a unique Client ID and Client Secret. A refresh token is generated for the account and can be accessed by navigating to API Client → Manage Refresh Tokens for Integrations and selecting the account. This refresh token will be used to retrieve an access token to authenticate all requests.

Read more about this in the Workday documentation at: https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/oauth/dan1370797831458.html

Task 6 - Retrieve an access token

If an access token has expired or is about to expire (or an access token has not yet been retrieved), you can request a new access token using the refresh token returned by the token endpoint for Auth Code Grant without PKCE.

To refresh a token:

 
1
POST [hostUrl/tenantUrl]/token

For example:

 
1
POST https://mycompany.workday.com/token

Specify these parameters in the request body:

FieldValue
client_idThe registered API client ID.
client_secretThe registered API client secret.
grant_typerefresh_token
refresh_tokenThe refresh_token value previously retrieved from the API Client → Manage Refresh Tokens for Integrations section.

Get the access_token value from the token endpoint response.

The access token will be used to make calls to the REST API, by including it as the 'Authorization' header of each call. Once the access token has expired, the refresh token can be used to request a new access token (for Auth Code Grant without PKCE only).

Example response:

json
1
{
2
  "access_token": "7c3obrknwd6nnkxv0r64jdpbx",
3
  "refresh_token": "yxsiqvdkakj0tp9a4i2xe1fbg4blgrq1ntg0cidyjgnfg",
4
  "token_type": "Bearer"
5
}

Task 7 - Gather log events from the Workday API

To collect the logs that document user activity and sign-on activity, you must enable tracking in your Workday account. 

To enable tracking in your Workday account: https://doc.workday.com/admin-guide/en-us/integrations/workday-rest-api/rest-api-guides/user-activity-logging-rest-api/mhr1626995534900.html → Within the Edit Tenant Setup - System task, select the Enable User Activity Logging.

Task 8 - Generate the Signons and Attempted Signons report

Workday provides a standard report that contains data about signons and attempted signons. However, you cannot copy the report for this configuration. Instead, you must create a custom report as a web service using the data source: Data Source : All System Account Signons

The benefit of setting up your custom report as a web service (RaaS) is that you will avoid any disruption to your integration processes if Workday updates their standard report. Your report is accessible through the RaaS REST API and Workday generates a unique RaaS namespace for the report.

For help adding prompts to the report, view the Workday documentation at: https://doc.workday.com/admin-guide/en-us/reporting-and-analytics/custom-reports-and-analytics/set-up-reports/oof1496961011924.html 

For help adding filters to the report, view the Workday documentation at:https://doc.workday.com/admin-guide/en-us/reporting-and-analytics/custom-reports-and-analytics/set-up-reports/guy1497022981508.html

To create and customize the report:

  1. Make an exact replica of the report by searching for the Workday delivered fields from the standard report and following the instructions at: https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/monitoring-sign-ins/ele1391544534012.html.

  2. Set up filters in the report to match this screenshot:

  •  And > Sign-on Time > greater than or equal to > Value from another field > Prompt - Date and Time 1

  • And > Sign-on Time > less than or equal to > Value from another field > Prompt - Date and Time 2 

Permissions

  1. Set up prompts in the report to match this screenshot. The prompts ensure that you can gather logs based on time and date: 

  • Prompt - Date and Time 1 > no default value > Required Prompt

  • Prompt - Date and Time 2 > no default value > Required Prompt

  • From Moment > Determine default value at runtime > Prompt - Date and Time 1 >  Required Prompt > Do Not Prompt at Runtime

  • To Moment >  Determine default value at runtime >  Prompt - Date and Time 2 >  Required Prompt > Do Not Prompt at Runtime

Permissions

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Before you begin, decide whether you want to use a test tenant or your production tenant for this configuration. This will inform the selection you make in step 12. For help with tenant management, refer to the Workday documentation at: https://community.workday.com/node/24324 .

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.

  2. Do one of the following:

    • Search for Workday in the event sources search bar.

    • In the Product Type filter, select Cloud Service.

  3. Select Workday as the event source type.

  4. Name the event source. This will become the name of the log that contains the event data in Log Search. 

  5. Optionally, select the option to send unparsed data.

  6. Select your LDAP Account Attribution preference:

    • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.

    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.

  7. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.

  8. Click Add a New Connection.

  9. In the Create a Cloud Connection screen, enter a name for the new connection.

  10. In the Tenant URL field, enter your Workday tenant URL. Your tenant URL is usually shorter than the main Workday URL. For example, it may look like https://www.myworkday.com. You can find it by logging into Workday and selecting Profile > Account Information.

  11. In the Tenant Name field, enter the part of your URL that appears after the first slash. For example, if your main Workday URL looks like www.myworkday.com/mycompany/d/home.htmld, the tenant name would be mycompany.

  12. In the Custom Report URL field, enter the URL of the report you created when you Configured Workday to send data to InsightIDR. Report URLs can vary, but yours might look like: https://wd7-impl-services2.workday.com/ccx/service/customreport2///RPT\_Signons\_and\_Attempted\_Signons?format=json .

  13. Under the Credentials section, enter the Workday Client ID, Client Secret, and Refresh Token that you created when you Configured Workday to send data to InsightIDR.

  14. Click Save Cloud Connection.

  15. On the Add Event Source panel, click Save.

Test the configuration

The event types that InsightIDR parses from this event source are:

  • User Activity events

  • Signon Activity events

To test that event data is flowing into InsightIDR through the Cloud Connection:

  1. View the raw logs. 

    • From the Data Collection Management page, click the Event Sources tab. 

    • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR. 

  2. Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search. 

    • From the left menu, go to Log Search.

    • In the Log Search filter, search for the new event source you created.

    • Select the log sets and the log names under each log set. Workday logs flow into these log sets:

      • User Activity: Cloud Service Activity

      • Signon Activity: Ingress Authentication

    • Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the logs that are generated use the name of your event source by default. The logs appear under the log sets:

  • User Activity: Cloud Service Activity

  • Signon Activity: Ingress Authentication

Here are some examples of the log entries that can be created by this event source:

Sample user activity log

json
1
{
2
    "activityAction":"READ",
3
    "systemAccount":"wd-environments",
4
    "requestTime":"2023-12-01T00:08:00-01:00",
5
    "taskDisplayName":"Workday System Status",
6
    "taskId":"dc3e4ee2446c11de98360015c5e6daf6",
7
    "sessionId":"d245fc",
8
    "ipAddress":"127.0.0.1",
9
  "tenant_name":"R7"
10
}
11


12
**Sample user sign on log**
13
```json
14
{
15
    "Request_Originator":"UI",
16
    "Session_End":"2023-12-01T00:08:00-01:00",
17
    "Signon":"wd-environments / Workday Production Automation: 2023 12 01 00 08 00 000 -0100",
18
    "Device_is_Trusted":"0",
19
    "Password_Changed":"0",
20
    "Session_Start":"2023-12-01T00:08:00-01:00",
21
    "Invalid_Credentials":"0",
22
    "Workday_Account":"wd-environments / Workday Production Automation",
23
    "Is_Device_Managed":"0",
24
    "Required_Multi-Factor":"0",
25
    "Failed_Signon":"0",
26
    "Session_IP_Address":"127.0.0.1",
27
    "Account_Locked__Disabled_or_Expired":"0",
28
    "Authentication_Type_for_Signon":"User Name Password",
29
    "Session_ID":"863734",
30
    "tenant_name":"R7"
31
}