Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/workday/_dev/build/build.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
dependencies:
ecs:
reference: git@v9.3.0
reference: git@v9.4.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟡 Medium confidence: medium path: packages/workday/_dev/build/build.yml:3

build.yml bumps the ECS pin to v9.4.0, but the existing activity pipeline still sets ecs.version: 9.3.0, leaving the package build ECS version and the activity pipeline inconsistent. Bump the activity pipeline to 9.4.0 to match.

Details

This PR raises the ECS dependency pin from git@​v9.3.0 to git@​v9.4.0. The new sign_on pipeline correctly sets ecs.version: 9.4.0, but the pre-existing activity pipeline (data_stream/activity/elasticsearch/ingest_pipeline/default.yml) still hardcodes ecs.version: 9.3.0. After this change the two are inconsistent: activity documents report ECS 9.4.0 while the package is built against ECS 9.4.0 mappings. The bump should be applied consistently across all pipelines in the package.

Recommendation:

Update the activity pipeline's set_ecs_version processor to match the new build pin:

  - set:
      field: ecs.version
      tag: set_ecs_version
      value: 9.4.0

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't perform activity datatsream changes in sign-on datatsream PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟠 High confidence: high path: packages/workday/_dev/build/build.yml:3

This PR bumps the ECS pin in build.yml to v9.4.0 but the existing activity pipeline still emits ecs.version 9.3.0; align the activity pipeline to 9.4.0 so the pin and the emitted version match.

Details

build.yml now pins ECS to git@​v9.4.0, and the new sign_on pipeline correctly sets ecs.version: 9.4.0. However, the pre-existing activity pipeline (packages/workday/data_stream/activity/elasticsearch/ingest_pipeline/default.yml) still hardcodes value: 9.3.0 in its set_ecs_version processor. Before this PR both were 9.3.0 and consistent; the build.yml bump introduces a mismatch between the package-wide ECS pin (9.4.0) and the version stamped into activity documents (9.3.0). The two data streams in the same package will report different ecs.version values, and the pin no longer matches the activity pipeline.

Recommendation:

Update the activity pipeline's set_ecs_version value to match the new build.yml pin (9.4.0):

# packages/workday/data_stream/activity/elasticsearch/ingest_pipeline/default.yml
- set:
    field: ecs.version
    tag: set_ecs_version
    value: 9.4.0

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

87 changes: 70 additions & 17 deletions packages/workday/_dev/build/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,35 +4,36 @@

[Workday](https://www.workday.com/en-in/homepage.html) is a cloud-based ERP system that manages business processes and allows organizations to use an integrated application. Workday is a coherent cloud ERP system for financial analysis, analytical solutions, HCM suites, and better business processes.

The Workday integration for Elastic collects `Activity Logs` via **API** and visualizes them in Kibana.
The Workday integration for Elastic collects `Activity` logs via the **Workday API** and `Sign-on` logs via the **Workday Custom Report API**, and visualizes them in Kibana.

### Compatibility

The Workday integration is compatible with API version **v1**.
- The **Activity** data stream is compatible with Workday API version **v1**.
- The **Sign-on** data stream is compatible with Workday Custom Reports exposed via the **Reports as a Service (RaaS)** JSON endpoint (`/ccx/service/customreport2/...?format=json`).

Check notice on line 12 in packages/workday/_dev/build/docs/README.md

View workflow job for this annotation

GitHub Actions / Lint user-facing content

Elastic.Ellipses: In general, don't use an ellipsis.

### How it works

This integration periodically queries the Workday API to retrieve logs.
- **Activity**: This integration periodically queries the Workday API to retrieve Activity logs.
- **Sign-on**: This integration periodically downloads a Workday Custom Report (for example, a Sign-on report that lists sign-on records along with their key attributes) and ingests each report row as a single event.

## What data does this integration collect?

This integration collects log messages of the following type:
This integration collects log messages of the following types:

- `Activity`: Collects [Activity Logs](https://community.workday.com/sites/default/files/file-hosting/restapi/#privacy/v1/get-/activityLogging) logs via Workday API (endpoint: `/activityLogging`).
- `Activity`: Collects [Activity Logs](https://community.workday.com/sites/default/files/file-hosting/restapi/#privacy/v1/get-/activityLogging) via the Workday API (endpoint: `/activityLogging`).
- `Sign-on`: Collects sign-on information from a Workday Custom Report via the Workday Reports as a Service (RaaS) JSON endpoint.

### Supported use cases

Integrating Workday with Elastic gives security and IT teams centralized visibility into **Workday activity logging**, so you can monitor configuration and usage changes, support audits, and investigate suspicious behavior from Kibana.
Integrating Workday with Elastic gives security and IT teams centralized visibility into **Workday activity logging** and **Workday sign-on data**, so you can monitor configuration and usage changes, track sign-on activity and access patterns, support audits, and investigate suspicious or unusual authentication behavior from Kibana.

The **Activity** dashboard summarizes key patterns such as **activity volume over time** and **top actors**, helping you spot unusual spikes and focus on the users and operations that matter.

Built-in filters make it easier to narrow events by attributes such as **task**, **system account**, and **IP address**, which supports faster triage and a more consistent investigation workflow across your Workday telemetry.
The **Activity** dashboard summarizes key patterns such as **activity volume over time** and **top actors**, helping you spot unusual spikes and focus on the users and operations that matter. Built-in filters make it easier to narrow events by attributes such as **task**, **system account**, and **IP address**, which supports faster triage and a more consistent investigation workflow across your Workday telemetry.

## What do I need to use this integration?

### From Workday

#### Collect Workday API credentials
#### For the Activity data stream

##### Enable User Activity Logging

Expand All @@ -43,7 +44,7 @@

**Note:** Once enabled, Workday records all user activity in a secure tenant database. Activity logging must be enabled before any logs are available for export.

#### Create Integration System User (ISU)
##### Create Integration System User (ISU)

1. In the Workday search bar, search for Create Integration System User.
2. Enter a User Name (for example, ISU_SIEM_Export) and a strong Password.
Expand All @@ -54,7 +55,7 @@
7. Search for View Domain and locate the User Activity Logging domain. Grant Get access to the ISU security group for this domain.
8. Search for Activate Pending Security Policy Changes and activate the changes.

#### Register API client for OAuth
##### Register API client for OAuth

1. In the Workday search bar, search for Register API Client for Integrations.
2. Enter a Client Name (for example, SIEM_OAuth_Client).
Expand All @@ -69,7 +70,7 @@
9. Generate a new refresh token for the API client.
10. Copy and save the Refresh Token.

#### Determine tenant URL
##### Determine tenant URL

The API endpoint is based on your Workday tenant. The format is:

Expand All @@ -83,6 +84,43 @@

**Note:** For additional Workday API security context, see [Generating API Keys for the Workday API](https://workday.my.site.com/customercenter/article?no=000013105&redirect=false).

#### For the Sign-on data stream

##### Build the Sign-on custom report

1. Sign in to your Workday tenant as a user with report-authoring privileges.
2. In the Workday search bar, search for **Create Custom Report**.
3. Create an Advanced report on a data source that exposes sign-on activity (for example, `Signons and Attempted Signons`).
4. Add the columns required for sign-on analytics (for example, `System Account`, `Session Start`, `Session End`, `Authentication Type for Signon`, `Failed Signon`, `Invalid Credentials`, `Account Locked, Disabled or Expired`, `Browser Type`, `Operating System`, `Device Type`, `Request Originator`, `SAML Identity Provider`).
5. On the **Advanced** tab, select **Enable As Web Service** so the report is exposed as Reports as a Service (RaaS).
6. Save the report and note the **Report Name** and the **Report Owner** (the Workday account that owns the report).

##### Create the Integration System User (ISU)

1. In the Workday search bar, search for **Create Integration System User**.
2. Enter a User Name (for example, `ISU_SIEM_Export`) and a strong Password.
3. Clear the **Require New Password at Next Sign In** checkbox.
4. Click **OK**.
5. Search for **Create Security Group** and create an Integration System Security Group (Unconstrained).
6. Add the ISU (`ISU_SIEM_Export`) to this security group.
7. Grant the ISU security group access to the domain protecting the custom report's data source (for example, the `System Auditing` domain).
8. Search for **Activate Pending Security Policy Changes** and activate the changes.

##### Determine the report URL

The Custom Report endpoint URL has the following format:

```
https://HOST/ccx/service/customreport2/TENANT/REPORT_OWNER/REPORT_NAME?format=json
```

Where:

- `HOST` is your Workday hostname.
- `TENANT` is your Workday tenant name.
- `REPORT_OWNER` is the Workday account that owns the custom report.
- `REPORT_NAME` is the name of the custom report you created above.

## How do I deploy this integration?

This integration supports both Elastic Agentless-based and Agent-based installations.
Expand All @@ -105,7 +143,7 @@
4. Select **Add Workday** to add the integration.
5. Enable and configure only the collection methods which you will use.

* To **Collect Workday logs via API**, you'll need to:
* To **Collect Workday Activity logs via API**, you'll need to:

- Configure **Hostname**.
- Configure **Tenant**.
Expand All @@ -114,6 +152,12 @@
- Configure **Refresh Token**.
- Adjust the integration configuration parameters if required, including the **Interval**, **Initial Interval**, **Preserve original event** etc. to enable data collection.

* To **Collect Workday Sign-on logs via Custom Report API**, you'll need to:

- Configure **Report URL** with the full Workday Custom Report (RaaS) URL noted above.
- Configure **Username** and **Password** for basic authentication against the Workday Custom Report API.
- Adjust the integration configuration parameters if required, including the **Interval** and **Preserve original event** etc. to enable data collection.

6. Select **Save and continue** to save the integration.

### Validation
Expand All @@ -140,6 +184,10 @@

{{fields "activity"}}

#### Sign-on

{{fields "sign_on"}}

### Example event

#### Activity
Expand All @@ -148,12 +196,17 @@

### Inputs used

These input is used in the integration:
These inputs are used in the integration:

- [CEL](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)

### API usage

This integration uses the following Workday API:
This integration uses the following Workday APIs:

- **Activity**: [Workday Activity API documentation](https://community.workday.com/sites/default/files/file-hosting/restapi/#privacy/v1/get-/activityLogging).
- **Sign-on**: The Workday **Reports as a Service (RaaS)** JSON endpoint is used to fetch a user-defined Sign-on custom report:

**Activity**: [Workday Activity API documentation](https://community.workday.com/sites/default/files/file-hosting/restapi/#privacy/v1/get-/activityLogging).
```
GET https://HOST/ccx/service/customreport2/TENANT/REPORT_OWNER/REPORT_NAME?format=json
```
5 changes: 5 additions & 0 deletions packages/workday/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: '0.1.1'
changes:
- description: Add support for sign_on data stream.
type: enhancement
link: https://github.com/elastic/integrations/pull/20039
- version: '0.1.0'
changes:
- description: Add support for activity data stream.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,6 @@
input: cel
service: workday
vars:
hostname: "{{Hostname}}:{{Port}}"
tenant: tenant
client_id: client_id
client_secret: client_secret
refresh_token: refresh_token
ssl: |
certificate_authorities:
- |
Expand All @@ -30,6 +25,11 @@ vars:
-----END CERTIFICATE-----
data_stream:
vars:
hostname: "{{Hostname}}:{{Port}}"
tenant: tenant
client_id: client_id
client_secret: client_secret
refresh_token: refresh_token
preserve_original_event: true
batch_size: 2
assert:
Expand Down
35 changes: 35 additions & 0 deletions packages/workday/data_stream/activity/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,41 @@ streams:
description: Collect Activity logs from Workday.
template_path: cel.yml.hbs
vars:
- name: hostname
type: text
title: Hostname
description: 'Hostname of Workday instance. Example: <your-workday-host>.workday.com'
required: true
show_user: true
- name: tenant
type: text
title: Tenant
description: Tenant of Workday instance.
required: true
show_user: true
- name: client_id
type: text
title: Client ID
multi: false
required: true
show_user: true
description: Client ID.
- name: client_secret
type: password
title: Client Secret
multi: false
required: true
show_user: true
secret: true
description: Client Secret.
- name: refresh_token
type: text
title: Refresh Token
description: Refresh token for Workday instance.
multi: false
required: true
show_user: true
secret: true
- name: initial_interval
type: text
title: Initial Interval
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{"Account_Locked__Disabled_or_Expired":"0","Active_Session":"0","Authentication_Type_for_Signon":"SAML","Browser_Type":"Chrome","Device_Type":"Desktop","Device_is_Trusted":"0","Failed_Signon":"0","Forgotten_Password_Reset_Request":"0","Invalid_Credentials":"0","Is_Device_Managed":"0","Operating_System":"Mac OS X","Password_Changed":"0","Request_Originator":"UI","SAML_Identity_Provider":"IdP_Acme","Session_End":"2026-06-18T23:25:22-07:00","Session_Start":"2026-06-18T16:59:32-07:00","System_Account":"user534.acme / User 534"}
{"Account_Locked__Disabled_or_Expired":"0","Active_Session":"0","Authentication_Type_for_Signon":"OAuth 2.0","Device_is_Trusted":"0","Failed_Signon":"0","Forgotten_Password_Reset_Request":"0","Invalid_Credentials":"0","Is_Device_Managed":"0","Password_Changed":"0","Request_Originator":"Internal","Session_End":"2026-06-18T22:55:34-07:00","Session_Start":"2026-06-18T16:55:34-07:00","System_Account":"ISU_Integration_049"}
{"Account_Locked__Disabled_or_Expired":"0","Active_Session":"0","Authentication_Failure_Message":"Mobile PIN has expired. To reset your PIN, first sign in using your user name and password.","Authentication_Type_for_Signon":"Biometric","Browser_Type":"Workday Phone App","Device_Type":"Phone","Device_is_Trusted":"0","Failed_Signon":"1","Forgotten_Password_Reset_Request":"0","Invalid_Credentials":"0","Is_Device_Managed":"0","Operating_System":"iOS","Password_Changed":"0","Request_Originator":"UI","Session_Start":"2026-06-18T16:52:43-07:00","System_Account":"user179.acme / User 179","UI_Client_Type":"iPhone Native"}
{"Account_Locked__Disabled_or_Expired":"0","Active_Session":"0","Authentication_Type_for_Signon":"SAML","Browser_Type":"Workday Phone App","Device_Type":"Phone","Device_is_Trusted":"0","Failed_Signon":"0","Forgotten_Password_Reset_Request":"0","Invalid_Credentials":"0","Is_Device_Managed":"0","Operating_System":"iOS","Password_Changed":"0","Request_Originator":"UI","SAML_Identity_Provider":"IdP_Acme","Session_End":"2026-06-18T22:59:33-07:00","Session_Start":"2026-06-18T16:57:04-07:00","System_Account":"user179.acme / User 179"}
{"Account_Locked__Disabled_or_Expired":"0","Active_Session":"1","Authentication_Type_for_Signon":"User Name Password","Device_is_Trusted":"0","Failed_Signon":"0","Forgotten_Password_Reset_Request":"0","Invalid_Credentials":"0","Is_Device_Managed":"0","Password_Changed":"0","Request_Originator":"Web Services","Session_Start":"2026-06-18T13:18:51-07:00","System_Account":"ISU_Integration_001"}
{"Authentication_Type":"SAML","Browser_Type":"Chrome","Created_Moment":"2026-06-22T01:08:10.374-07:00","Device_Type":"Desktop","Device_is_Trusted":"0","Operating_System":"Mac OS X","Prompt_-_Positive_Integer":"linda.andersson / Linda Andersson","Request_Originator":"UI","SAML_Identity_Provider":"Okta E2","Session_ID":"4562a3","Sign-on_Time":"2026-06-22T01:08:10-07:00","Signoff_Time":"2026-06-22T02:09:01-07:00","Signon_IP_Address":"81.2.69.142","Signon_Worker":"Linda Andersson (006193)","User_Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36","userName":"linda.andersson"}
{"Authentication_Type":"User Name Password","Browser_Type":"Chrome","Created_Moment":"2026-06-22T00:44:17.617-07:00","Device_Type":"Desktop","Device_is_Trusted":"0","Operating_System":"Mac OS X","Prompt_-_Positive_Integer":"alina.goajga / Alina Garagancea","Request_Originator":"UI","Session_ID":"b40162","Sign-on_Time":"2026-06-22T00:44:17-07:00","Signoff_Time":"2026-06-22T03:35:15-07:00","Signon_IP_Address":"81.2.69.144","Signon_Worker":"Alina Garagancea (002036)","User_Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36","userName":"alina.goajga"}
{"Authentication_Type":"Trusted","Created_Moment":"2026-06-22T00:04:11.094-07:00","Device_Type":"Desktop","Device_is_Trusted":"0","Prompt_-_Positive_Integer":"ISU_Adaptive_Insights_User_Provisioning","Request_Originator":"Internal","Session_ID":"89d613","Sign-on_Time":"2026-06-22T00:04:11-07:00","Signoff_Time":"2026-06-22T01:04:11-07:00","Signon_IP_Address":"Workday Internal","userName":"ISU_Adaptive_Insights_User_Provisioning"}
{"Authentication_Type":"OAuth 2.0","Created_Moment":"2026-06-22T04:29:16.382-07:00","Device_is_Trusted":"0","Prompt_-_Positive_Integer":"ISU_WD_Logs","Request_Originator":"Internal","Session_ID":"87ed78","Sign-on_Time":"2026-06-22T04:29:16-07:00","Signoff_Time":"2026-06-22T05:29:16-07:00","Signon_IP_Address":"89.160.20.112","userName":"ISU_WD_Logs"}
{"Authentication_Failure_Message":"Invalid password","Authentication_Type":"User Name Password","Browser_Type":"Chrome","Created_Moment":"2026-06-22T06:41:11.320-07:00","Device_Type":"Desktop","Device_is_Trusted":"0","Operating_System":"Mac OS X","Prompt_-_Positive_Integer":"chris.carnes / Chris Carnes","Request_Originator":"UI","Sign-on_Time":"2026-06-22T06:41:11-07:00","Signon_IP_Address":"175.16.199.1","Signon_Worker":"Chris Carnes (006423)","User_Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36","userName":"chris.carnes"}
Loading
Loading