Workday

Workday is a cloud-based enterprise resource planning (ERP) and human resource information system (HRIS), which allows organizations to analyze and manage their finances and human resources. By connecting Workday to InsightIDR as an event source, you can analyze event data pertaining to user activity.

To set up Workday:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Workday to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

Before you start the configuration:

Read about creating Integration Security System Groups in the Workday documentation at: https://doc.workday.com/admin-guide/en-us/authentication-and-security/configurable-security/security-groups/integration-security-groups/wvu1571267715376.html .

Configure Workday to send data to InsightIDR

To allow InsightIDR to receive data from Workday, you must configure the settings in your Workday account to provide access to its user activity data.

Task 1 - Set up OAuth Authentication

All Workday environments come with access to the API by default. The recommended authentication method to use is OAuth. With this type of authentication, user identity is validated by Workday based on OAuth grant type. 

Use the API Client for Integrations method, because it is the only OAuth flow that allows an expired access token to be refreshed, while not requiring the user to login. Follow the instructions in the Workday documentation at: Workday API Integrations

Here is some additional documentation on how to set up OAuth 2.0 for integrations in Workday:

Task 2 - Obtain your tenant URL and tenant name

To set up the cloud connection in InsightIDR, you must know your Workday tenant URL and tenant name.

To get your Workday tenant URL:

  1. Log in to your Workday account and select the Workday Home tab.
  2. Under the Personal section, select Profile.
  3. Under the Account Information section, your Workday tenant URL is displayed. For example, it might look like https://www.myworkday.com.

To get your Workday tenant name:

Your Workday URL contains the tenant name. It is the text that follows the first slash. For example, in the URL www.myworkday.com/mycompany/d/home.htmld, the tenant name is mycompany.

Task 3 - Register an API Client for Integrations with a non-existing refresh token

Workday generates an API Client for Integrations with an Authorization Code Grant client grant type and a Bearer access token type.

Workday also generates a unique Client ID and Client Secret. A refresh token is generated for the account and can be accessed by navigating to API Client → Manage Refresh Tokens for Integrations and selecting the account. This refresh token will be used to retrieve an access token to authenticate all requests.

Read more about this in the Workday documentation at: https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/oauth/dan1370797831458.html

Task 4 - Retrieve an access token

If an access token has expired or is about to expire (or an access token has not yet been retrieved), you can request a new access token using the refresh token returned by the token endpoint for Auth Code Grant without PKCE.

To refresh a token:

 
1
POST [hostUrl/tenantUrl]/token

Example:

 
1
POST https://mycompany.workday.com/token

Specify these parameters in the request body:

FieldValue
client_idThe registered API client ID.
client_secretThe registered API client secret.
grant_typerefresh_token
refresh_tokenThe refresh_token value previously retrieved from the API Client → Manage Refresh Tokens for Integrations section.

Get the access_token value from the token endpoint response.

The access token will be used to make calls to the REST API, by including it as the 'Authorization' header of each call. Once the access token has expired, the refresh token can be used to request a new access token (for Auth Code Grant without PKCE only).

Example response:

json
1
{
2
  "access_token": "7c3obrknwd6nnkxv0r64jdpbx",
3
  "refresh_token": "yxsiqvdkakj0tp9a4i2xe1fbg4blgrq1ntg0cidyjgnfg",
4
  "token_type": "Bearer"
5
}

Task 5 - Gather log events from the Workday API

To collect the logs that document user activity, you must enable tracking in your Workday account. 

To enable tracking in your Workday account:

  1. Follow the steps in the Workday documentation at https://doc.workday.com/admin-guide/en-us/integrations/workday-rest-api/rest-api-guides/user-activity-logging-rest-api/mhr1626995534900.html
  2. Within the Edit Tenant Setup - System task, select the Enable User Activity Logging.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Before you begin, decide whether you want to use a test tenant or your production tenant for this configuration. This will inform the selection you make in step 12.

For help with tenant management, refer to the Workday documentation at https://community.workday.com/node/24324 .

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Workday in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select Workday as the event source type.
  4. Name the event source. This will become the name of the log that contains the event data in Log Search.
  5. Optionally, select the option to send unparsed data.
  6. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  7. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  8. Click Add a New Connection.
  9. In the Create a Cloud Connection screen, enter a name for the new connection.
  10. In the Tenant URL field, enter your Workday tenant URL. Your tenant URL is usually shorter than the main Workday URL. For example, it may look like https://www.myworkday.com. You can find it by logging into Workday and selecting Profile > Account Information.
  11. In the Tenant Name field, enter the part of your URL that appears after the first slash. For example, if your main Workday URL looks like www.myworkday.com/mycompany/d/home.htmld, the tenant name would be mycompany.
  12. Under the Credentials section, enter the Workday Client ID, Client Secret, and Refresh Token that you created when you Configured Workday to send data to InsightIDR.
  13. Click Save Cloud Connection.
  14. On the Add Event Source panel, click Save.

Test the configuration

The event types that InsightIDR parses from this event source are User Activity events.

To test that event data is flowing into InsightIDR through the Cloud Connection:

  1. View the raw logs. 
    • From the Data Collection Management page, click the Event Sources tab. 
    • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
  2. Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
    • From the left menu, go to Log Search.
    • In the Log Search filter, search for the new event source you created.
      • Select the log set and the log names under each log set. Workday logs flow into the log set User Activity: Cloud Service Activity.
    • Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the logs that are generated use the name of your event source by default. The logs appear in the log set:

  • User Activity: Cloud Service Activity

Here is an example of the log entries that can be created by this event source:

Sample user activity log

json
1
{
2
    "activityAction":"READ",
3
    "systemAccount":"wd-environments",
4
    "requestTime":"2023-12-01T00:08:00-01:00",
5
    "taskDisplayName":"Workday System Status",
6
    "taskId":"dc3e4ee2446c11de98360015c5e6daf6",
7
    "sessionId":"d245fc",
8
    "ipAddress":"127.0.0.1",
9
    "tenant_name":"R7"
10
}