Workday
Human Resources Management (HRM)
Workday - Cloud-based HR and finance software for workforce management.
Detection Rules for Workday
These detection rules will focus on various aspects of Workday such as cloud based HR & finance software for workforce management.
Provider: Workday
| App : Workday | MITRE Tactic | MITRE Technique | Criticality | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Unusual Login Activity | Credential Access | T1078: Valid Accounts | High | ||||||
|
|||||||||
| Multiple Failed Login Attempts | Credential Access | T1110: Brute Force | Medium | ||||||
|
|||||||||
| Unauthorized Access to Sensitive Data | Exfiltration | T1071: Application Layer Protocol | High | ||||||
|
|||||||||
| Changes to User Roles/Permissions | Privilege Escalation | T1069: Permission Groups | Medium | ||||||
|
|||||||||
| Excessive Data Exports | Exfiltration | T1041: Exfiltration Over Command and Control Channel | Medium | ||||||
|
|||||||||
| Suspicious API Calls | Exfiltration | T1071: Application Layer Protocol | Medium | ||||||
|
|||||||||
| Changes to Employee Status | Impact | T1074: Data Manipulation | Medium | ||||||
|
|||||||||
| Abnormal Logout Patterns | Defense Evasion | T1070: Indicator Removal on Host | Low | ||||||
|
|||||||||
APIs and Their Scopes
| App : Workday | Required API | Scopes Required | Usage |
|---|---|---|---|
| Unauthorized Access to Patient Records | Workday Audit API | com.workday.audit.patient | Retrieve audit logs on patient record access to identify unauthorized access patterns. |
| Unusual Login Activity | Workday Security API | com.workday.security.logins | Access to login event logs to analyze login activities. |
| Multiple Failed Login Attempts | Workday Security API | com.workday.security.logins | Monitor login attempts and access logs for failed logins. |
| Unauthorized Access to Sensitive Data | Workday Data Management API | com.workday.data.access | Check access logs for sensitive data and monitor usage. |
| Changes to User Roles/Permissions | Workday User Management API | com.workday.user.roles | Review role changes and manage user permissions. |
| Excessive Data Exports | Workday Reporting API | com.workday.reporting.exports | Monitor export activities and analyze exported data volume. |
| Suspicious API Calls | Workday API Management API | com.workday.api.calls | Track API usage and identify abnormal patterns. |
| Changes to Employee Status | Workday Employee Data API | com.workday.employee.status | Track changes to employee statuses and verify approval logs. |
| Abnormal Logout Patterns | Workday Security API | com.workday.security.logins | Analyze logout events in conjunction with login activities. |
Reports and Widgets for CISO
| Report Name | Widgets | Description |
|---|---|---|
| Access Activity Report | Login Attempts by Location | Overview of user login activities, including successful and failed attempts. |
| Role Change Audit Report | User Role Audit List | Tracks changes in user roles and permissions. |
|
Role Change Frequency Recent Role Changes Timeline |
||
| Data Access and Export Report | User Export History | Details on sensitive data access and export activities. |
|
Total Data Exports High-Risk Data Access Events |
||
| API Usage Report | API Call Frequency Trends | Overview of API calls made, highlighting unusual patterns. |
|
Total API Calls Unusual API Endpoints Accessed |
||
| Employee Status Changes Report | Departmental Breakdown | Monitors changes in employee status (e.g., hires, terminations). |
|
Employee Status Change Summary Recent Changes Timeline |
||
| Audit Trail Report | User Action Heatmap | Comprehensive audit trail of user activities and changes. |
|
Activity Log Summary Recent Changes Per User |
||
| Security Incident Report | Average Resolution Time | Summary of security incidents and related investigations. |
|
Incident Count by Type Open Incidents by Severity |
||
| Compliance Report | Compliance Score | Tracks compliance with security policies and access controls. |
|
Areas of Non-Compliance Remediation Actions Taken |