Collect Workday HCM logs

Supported in:

This parser extracts Workday HCM user data from JSON-formatted logs. It handles various data transformations, including renaming fields, merging nested objects, parsing dates, and populating UDM fields for user attributes, employment details, and organizational structure. It also includes error handling for malformed JSON and missing critical fields.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Workday.

Create an Integration System User (ISU) in Workday

  1. Sign in to Workday with administrative privileges.
  2. Type Create Integration System User in the search bar and select the task from the results.
  3. Enter a Username.
  4. Set a Password.
  5. Set Session Timeout Minutes to 0 to prevent the ISU from timing out.
  6. Select the Do Not Allow UI Sessions checkbox to enhance security by restricting UI logins.
  7. Go to the Maintain Password Rules task.
  8. Exempt the integration system user from password expiration by adding them to the System Users exempt from password expiration field.

Create an integration security group in Workday

  1. Type Create Security Group in the search bar and select the task from the results.
  2. Locate the Type of Tenanted Security Group field, and select Integration System Security Group (Unconstrained).
  3. Provide a name for the security group.
  4. Click OK.
  5. Click Edit for the newly created security group.
  6. Assign the Integration System User from the previous step to the security group.
  7. Click Done.

Grant domain access to security group in Workday

  1. Type Maintain Permissions for Security Group in the search bar and select the task from the results.
  2. Choose the security group you created from the Source Security Group list to modify its permissions.
  3. Click OK.
  4. Go to Maintain Permissions for Security Group > Domain Security Policy Permissions.
  5. Assign the necessary permissions for each domain, such as GET operations.
  6. Click OK.
  7. Click Done to save changes.

Activate security policy changes in Workday

  1. Type Activate Pending Security Policy Changes in the search bar and select the task from the results.
  2. Start the Activate Pending Security Policy Changes task by entering a reason for your audit in the comment field, then click OK.
  3. Complete the task on the next screen by selecting the Confirm checkbox, then click OK.

Configure a feed in Google SecOps to ingest Workday logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Workday Logs).
  4. Select Third Party API as the Source type.
  5. Select the Workday log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • API Hostname: the FQDN of your Workday REST API endpoint.
    • Tenant: The last path element of your Workday API endpoint that identifies your instance.
    • Access Token: OAuth access token.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
@timestamp read_only_udm.metadata.event_timestamp.seconds The raw log's @timestamp field is renamed to timestamp and parsed as a timestamp in seconds since epoch.
businessTitle read_only_udm.entity.entity.user.title Directly mapped from the businessTitle field in the raw log.
descriptor read_only_udm.entity.entity.user.user_display_name Directly mapped from the descriptor field in the raw log.
Employee_ID read_only_udm.entity.entity.user.employee_id Directly mapped from the Employee_ID field in the raw log.
Employee_ID read_only_udm.entity.metadata.product_entity_id Directly mapped from the Employee_ID field in the raw log when id is not present.
gopher-supervisor.descriptor read_only_udm.entity.entity.user.managers.user_display_name Directly mapped from the gopher-supervisor.descriptor field in the raw log, renamed to empmanager.user_display_name and then merged into managers.
gopher-supervisor.id read_only_udm.entity.entity.user.managers.product_object_id Directly mapped from the gopher-supervisor.id field in the raw log, renamed to empmanager.product_object_id and then merged into managers.
gopher-supervisor.primaryWorkEmail read_only_udm.entity.entity.user.managers.email_addresses Directly mapped from the gopher-supervisor.primaryWorkEmail field in the raw log and then merged into managers.
gopher-time-off.date read_only_udm.entity.entity.user.time_off.interval.start_time Parsed as a date from the gopher-time-off.date field within the gopher-time-off array in the raw log.
gopher-time-off.descriptor read_only_udm.entity.entity.user.time_off.description Directly mapped from the gopher-time-off.descriptor field within the gopher-time-off array in the raw log.
Hire_Date read_only_udm.entity.entity.user.hire_date Parsed as a date from the Hire_Date field in the raw log.
id read_only_udm.entity.metadata.product_entity_id Directly mapped from the id field in the raw log when present.
Job_Profile read_only_udm.entity.entity.user.title Directly mapped from the Job_Profile field in the raw log when businessTitle is not present.
Legal_Name_First_Name read_only_udm.entity.entity.user.first_name Directly mapped from the Legal_Name_First_Name field in the raw log.
Legal_Name_Last_Name read_only_udm.entity.entity.user.last_name Directly mapped from the Legal_Name_Last_Name field in the raw log.
location.descriptor read_only_udm.entity.entity.location.city Directly mapped from the location.descriptor field in the raw log, renamed to _location.city and then to entity.entity.location.city.
primarySupervisoryOrganization.descriptor read_only_udm.entity.entity.user.department Directly mapped from the primarySupervisoryOrganization.descriptor field in the raw log.
primaryWorkEmail read_only_udm.entity.entity.user.email_addresses Directly mapped from the primaryWorkEmail field in the raw log.
primaryWorkPhone read_only_udm.entity.entity.user.phone_numbers Directly mapped from the primaryWorkPhone field in the raw log.
Termination_Date read_only_udm.entity.entity.user.termination_date Parsed as a date from the Termination_Date field in the raw log.
Work_Email read_only_udm.entity.entity.user.email_addresses Directly mapped from the Work_Email field in the raw log when primaryWorkEmail is not present.
collection_time read_only_udm.metadata.event_timestamp.collected_timestamp The log's collection_time is mapped to collected_timestamp.

Changes

2022-09-15

  • Migrated to default parser.

2022-05-11

  • Migrated to default parser.