Skip to content

Workday

Workday

About

Workday offers built-in audit and internal controls so regulatory requirements can be quickly adapted to.

Product Details

Vendor URL: Simplify audit and compliance. - Workday

Product Type: Audit and Compliance

Product Tier: Tier II

Integration Method: Custom

Integration URL: N/A

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: 75%

Data Label: WORKDAY_AUDIT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
jobid additional.fields
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
product_event metadata.product_event_type
GENERIC_EVENT metadata.event_type
display_name principal.user.user_display_name
user_agent network.http.user_agent
description metadata.description
platform principal.platform_version
src principal.hostname
src principal.ip
file_name src.file.full_path
dst target.hostname
dst target.ip
dhost target.hostname
dhost target.ip
shost principal.hostname
shost principal.ip
summary security_result.summary
suser principal.user.userid
request target.url
INFORMATIONAL/LOW/MEDIUM/HIGH security_result.severity
observer observer.hostname
observer observer.ip

Product Event Types

type,subtype UDM Event Classification
DEFAULT GENERIC_EVENT

Log Sample

{"msg": "\"2021-12-07T08:05:27.896-08:00\",\"redacted\",\"Search in Main Page (Web Service)\",\"READ\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\",\"10.11.11.61\",\"\",\"\",\"Desktop\",\"JOHNDOE\"\n", "length": 244, "file_name": "REPORT_20211207_081523.csv.gz", "product": "Workday", "vendor": "Workday"}

Sample Parsing

metadata.event_timestamp = "2021-12-07T08:05:27Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Workday"
metadata.product_name = "Workday"
metadata.product_event_type = "Search in Main Page (Web Service)"
metadata.ingested_timestamp = "2021-12-07T16:26:46.268520Z"
principal.user.userid = "JOHNDOE"
principal.ip = "10.11.11.61"
principal.platform_version = "Desktop"
principal.namespace = "COMPANYNAME"
principal.asset.ip = "10.11.11.61"
src.file.full_path = "REPORT_20211207_081523.csv.gz"
src.namespace = "COMPANYNAME"
observer.namespace = "COMPANYNAME"
security_result.summary = "READ"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon