Workday

  • Updated on Mar 25, 2025
  • Published on Oct 22, 2024
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Workday Activity Logs

✅

workday_activity_logs

NDJSON

API

Overview

Workday logoWorkday is a cloud-based software company that provides enterprise resource planning (ERP) solutions, primarily focused on human capital management (HCM) and financial management. Designed for medium to large organizations, Workday helps businesses manage tasks such as payroll, workforce planning, recruiting, and performance management. Its intuitive interface, advanced analytics, and scalability make it a popular choice for organizations looking to streamline HR and financial processes while gaining real-time insights into their operations.

Supported data types

Workday Activity Logs

Table name: workday_activity_logs

Workday Activity Logs provide a detailed record of user and system activities within the Workday platform. These logs capture information such as user actions, system events, and API calls, helping administrators monitor system usage, troubleshoot issues, and ensure compliance with security policies. The logs offer insights into user behavior, audit trails, and potential security threats, making them a valuable tool for maintaining transparency, identifying irregular activities, and enhancing overall system security.

Learn more here.

Send data to Hunters

Hunters supports the collection of Workday logs using API. To connect Workday to Hunters, you’ll need to acquire the following information from your Workday environment:

  • Host

  • Tenants

  • Client ID

  • Client Secret

  • Refresh Token

To connect Workday logs:

Step 1: Enable User Activity Logging

Before submitting User Activity Logging REST API requests, begin logging the user activity in the tenant:

  1. Search for and open the Edit Tenant Setup - System task.

  2. Select the Enable User Activity Logging option.

Step 2: Create an Integration System User (ISU) on Workday

An integration system user (ISU) account is required for Hunters to access your Workday tenant. You can create an ISU from the Workday portal. ISU also requires relevant security group access with permission to access Workday User Logging.

  1. Search for and open the Create Integration System User task.

  2. In the new window, fill in the following:

    1. User Name - ISU_hunters

    2. Password - Create a password and verify it in the next field.

    3. Session Timeout Minutes - 0 (disable session expiration).

    4. Don’t Allow UI Sessions - Yes (select this checkbox).

  3. Once done, click OK.

  4. Search for and open the Create Security Group task.

  5. From the Type of Tenanted Security Group dropdown, select Integration System Security Group (Unconstrained).

  6. In the Name field, provide a group name. We reccomend using ISU_hunters. It doesn’t need to be the same as the ISU name.

  7. Click OK.
    Your security group edit window will now open.

  8. From the Integration Systems User field, select the ISU you previously created (ISU_hunters).

  9. Click OK.

  10. Search for and open the Maintain Permissions for Security Group task to update domain security policies.

  11. In the new window, perform the following:

    1. From the Operation radio button, select Maintain.

    2. In the Source Security Group field, select the security group you previously created (ISU_hunters).

    3. Click OK.

  12. Navigate to the Domain Security Policy Permissions tab and add the permission: Get only access to the System Auditing domain.

  13. Click OK.

  14. Search for and run the Activate Pending Security Policy Changes task to activate the changes.

Step 3: Register the API client for integrations in your tenant

  1. Enable OAuth for the tenant:

    1. Search for and open the Edit Tenant Setup - Security task.

    2. Scroll down to the OAuth 2.0 Settings section, select the OAuth 2.0 Clients Enabled check box.

  2. Search for and open the Register API client for integrations task.

  3. In the new window, fill in the following:

    1. Client Name - Hunters

    2. Non-expiring refresh token - Yes (select this checkbox).

    3. Scope - System

  4. Click OK.

  5. Locate the Client ID and Client Secret values and keep them in a safe place for future use.

Step 4: Generate a refresh token

  1. Search for and open the View API client task and navigate to the API clients for integration tab.

  2. Open the Hunters client created in the previous step.

  3. Select the ellipses (...), and then navigate to API client > Manage Refresh Token for Integration.

  4. In the new window, from the Workday Acount field, select the ISU created previously for Hunters ( ISU_hunters ) and click OK.

  5. In the new window, enable the Generate new refresh token checkbox and click OK.

  6. Copy the generated refresh token and keep it in a safe place for future use.

Step 5: Acquire your Host and Tenant

These are usually visible in the Workday URL when you're logged in. For example, in the URL https://impl.workday.com/mycompany/d/home.htmld, the Host value is https://impl.workday.com and the Tenant is mycompany.

In some cases, your Workday URL can look like this: workday.com/ccx/service/TENANT/ in which case your Tenant name will be located after /service.

Step 6: Finalize the connection on Hunters

Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

        {
            "taskId": "109d2j19u2hf21798fh12",
            "activityAction": "READ",
            "taskDisplayName": "wql/data/view (POST) (v1 -  )",
            "ipAddress": "1.2.3.4",
            "sessionId": "abcdef",
            "systemAccount": "system_test",
            "requestTime": "2024-08-15T07:08:45.943Z"
        }