Workday
Human Resources Management (HRM)
Workday - Cloud-based HR and finance software for workforce management.
Detection Rules for Workday
These detection rules will focus on various aspects of Workday such as cloud based HR & finance software for workforce management.
Provider: Workday
App : Workday | MITRE Tactic | MITRE Technique | Criticality | ||||||
---|---|---|---|---|---|---|---|---|---|
Unusual Login Activity | Credential Access | T1078: Valid Accounts | High | ||||||
|
|||||||||
Multiple Failed Login Attempts | Credential Access | T1110: Brute Force | Medium | ||||||
|
|||||||||
Unauthorized Access to Sensitive Data | Exfiltration | T1071: Application Layer Protocol | High | ||||||
|
|||||||||
Changes to User Roles/Permissions | Privilege Escalation | T1069: Permission Groups | Medium | ||||||
|
|||||||||
Excessive Data Exports | Exfiltration | T1041: Exfiltration Over Command and Control Channel | Medium | ||||||
|
|||||||||
Suspicious API Calls | Exfiltration | T1071: Application Layer Protocol | Medium | ||||||
|
|||||||||
Changes to Employee Status | Impact | T1074: Data Manipulation | Medium | ||||||
|
|||||||||
Abnormal Logout Patterns | Defense Evasion | T1070: Indicator Removal on Host | Low | ||||||
|
APIs and Their Scopes
App : Workday | Required API | Scopes Required | Usage |
---|---|---|---|
Unauthorized Access to Patient Records | Workday Audit API | com.workday.audit.patient | Retrieve audit logs on patient record access to identify unauthorized access patterns. |
Unusual Login Activity | Workday Security API | com.workday.security.logins | Access to login event logs to analyze login activities. |
Multiple Failed Login Attempts | Workday Security API | com.workday.security.logins | Monitor login attempts and access logs for failed logins. |
Unauthorized Access to Sensitive Data | Workday Data Management API | com.workday.data.access | Check access logs for sensitive data and monitor usage. |
Changes to User Roles/Permissions | Workday User Management API | com.workday.user.roles | Review role changes and manage user permissions. |
Excessive Data Exports | Workday Reporting API | com.workday.reporting.exports | Monitor export activities and analyze exported data volume. |
Suspicious API Calls | Workday API Management API | com.workday.api.calls | Track API usage and identify abnormal patterns. |
Changes to Employee Status | Workday Employee Data API | com.workday.employee.status | Track changes to employee statuses and verify approval logs. |
Abnormal Logout Patterns | Workday Security API | com.workday.security.logins | Analyze logout events in conjunction with login activities. |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
Access Activity Report | Login Attempts by Location | Overview of user login activities, including successful and failed attempts. |
Role Change Audit Report | User Role Audit List | Tracks changes in user roles and permissions. |
Role Change Frequency Recent Role Changes Timeline |
||
Data Access and Export Report | User Export History | Details on sensitive data access and export activities. |
Total Data Exports High-Risk Data Access Events |
||
API Usage Report | API Call Frequency Trends | Overview of API calls made, highlighting unusual patterns. |
Total API Calls Unusual API Endpoints Accessed |
||
Employee Status Changes Report | Departmental Breakdown | Monitors changes in employee status (e.g., hires, terminations). |
Employee Status Change Summary Recent Changes Timeline |
||
Audit Trail Report | User Action Heatmap | Comprehensive audit trail of user activities and changes. |
Activity Log Summary Recent Changes Per User |
||
Security Incident Report | Average Resolution Time | Summary of security incidents and related investigations. |
Incident Count by Type Open Incidents by Severity |
||
Compliance Report | Compliance Score | Tracks compliance with security policies and access controls. |
Areas of Non-Compliance Remediation Actions Taken |