Workday

Human Resources Management (HRM)

Workday - Cloud-based HR and finance software for workforce management.

Detection Rules for Workday
These detection rules will focus on various aspects of Workday such as cloud based HR & finance software for workforce management.

Provider: Workday

App : Workday MITRE Tactic MITRE Technique Criticality
Unusual Login Activity Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Use GeoIP lookup APIs to determine unusual login locations.
Query IP reputation databases (AbuseIPDB, IPvoid).
Incident Creation Criteria Create an incident if the IP address is flagged as malicious or if multiple unusual logins are detected from the same user.
Multiple Failed Login Attempts Credential Access T1110: Brute Force Medium
Investigation Actions (APIs) Review account lockout logs.
Check for patterns in login attempts across multiple accounts.
Incident Creation Criteria Create an incident if a user exceeds a defined threshold of failed login attempts in a specified time frame.
Unauthorized Access to Sensitive Data Exfiltration T1071: Application Layer Protocol High
Investigation Actions (APIs) Check access logs for unauthorized users accessing sensitive data.
Monitor data access requests for anomalies.
Incident Creation Criteria Create an incident if sensitive data is accessed by users without appropriate permissions.
Changes to User Roles/Permissions Privilege Escalation T1069: Permission Groups Medium
Investigation Actions (APIs) Review role change logs.
Verify justification for role changes against HR policies.
Incident Creation Criteria Create an incident if roles are changed without documented approval or outside of regular HR processes.
Excessive Data Exports Exfiltration T1041: Exfiltration Over Command and Control Channel Medium
Investigation Actions (APIs) Review logs for data export activities.
Identify the data being exported and its sensitivity.
Incident Creation Criteria Create an incident if an unusually high volume of data is exported by a user within a short timeframe.
Suspicious API Calls Exfiltration T1071: Application Layer Protocol Medium
Investigation Actions (APIs) Monitor API call patterns for anomalies.
Check for calls to sensitive endpoints.
Incident Creation Criteria Create an incident if API calls exceed normal usage patterns or access sensitive resources without proper authentication.
Changes to Employee Status Impact T1074: Data Manipulation Medium
Investigation Actions (APIs) Track changes to employee status (e.g., terminations, promotions).
Verify approvals for status changes.
Incident Creation Criteria Create an incident if an employee’s status changes without proper documentation or notification.
Abnormal Logout Patterns Defense Evasion T1070: Indicator Removal on Host Low
Investigation Actions (APIs) Investigate multiple logout attempts without corresponding login events.
Analyze for potential session hijacking.
Incident Creation Criteria Create an incident if logout events are detected without prior activity from the user.

APIs and Their Scopes

App : Workday Required API Scopes Required Usage
Unauthorized Access to Patient Records Workday Audit API com.workday.audit.patient Retrieve audit logs on patient record access to identify unauthorized access patterns.
Unusual Login Activity Workday Security API com.workday.security.logins Access to login event logs to analyze login activities.
Multiple Failed Login Attempts Workday Security API com.workday.security.logins Monitor login attempts and access logs for failed logins.
Unauthorized Access to Sensitive Data Workday Data Management API com.workday.data.access Check access logs for sensitive data and monitor usage.
Changes to User Roles/Permissions Workday User Management API com.workday.user.roles Review role changes and manage user permissions.
Excessive Data Exports Workday Reporting API com.workday.reporting.exports Monitor export activities and analyze exported data volume.
Suspicious API Calls Workday API Management API com.workday.api.calls Track API usage and identify abnormal patterns.
Changes to Employee Status Workday Employee Data API com.workday.employee.status Track changes to employee statuses and verify approval logs.
Abnormal Logout Patterns Workday Security API com.workday.security.logins Analyze logout events in conjunction with login activities.

Reports and Widgets for CISO

Report Name Widgets Description
Access Activity Report Login Attempts by Location Overview of user login activities, including successful and failed attempts.
Role Change Audit Report User Role Audit List Tracks changes in user roles and permissions.

Role Change Frequency

Recent Role Changes Timeline

Data Access and Export Report User Export History Details on sensitive data access and export activities.

Total Data Exports

High-Risk Data Access Events

API Usage Report API Call Frequency Trends Overview of API calls made, highlighting unusual patterns.

Total API Calls

Unusual API Endpoints Accessed

Employee Status Changes Report Departmental Breakdown Monitors changes in employee status (e.g., hires, terminations).

Employee Status Change Summary

Recent Changes Timeline

Audit Trail Report User Action Heatmap Comprehensive audit trail of user activities and changes.

Activity Log Summary

Recent Changes Per User

Security Incident Report Average Resolution Time Summary of security incidents and related investigations.

Incident Count by Type

Open Incidents by Severity

Compliance Report Compliance Score Tracks compliance with security policies and access controls.

Areas of Non-Compliance

Remediation Actions Taken