Workday

Workday is a cloud-based ERP system that manages business processes and allows organizations to use an integrated application. Workday is a coherent cloud ERP system for financial analysis, analytical solutions, HCM suites, and better business processes.

The Workday integration for Elastic collects Activity Logs via API and visualizes them in Kibana.

The Workday integration is compatible with API version v1.

This integration periodically queries the Workday API to retrieve logs.

This integration collects log messages of the following type:

• Activity: Collects Activity Logs logs via Workday API (endpoint: /activityLogging).

Integrating Workday with Elastic gives security and IT teams centralized visibility into Workday activity logging, so you can monitor configuration and usage changes, support audits, and investigate suspicious behavior from Kibana.

The Activity dashboard summarizes key patterns such as activity volume over time and top actors, helping you spot unusual spikes and focus on the users and operations that matter.

Built-in filters make it easier to narrow events by attributes such as task, system account, and IP address, which supports faster triage and a more consistent investigation workflow across your Workday telemetry.

1. Sign in to your Workday tenant as a Security Administrator.
2. In the Workday search bar, search for and open the Edit Tenant Setup - System task.
3. In the Security section, select the Enable User Activity Logging checkbox.
4. Click OK to save the changes.

1. In the Workday search bar, search for Create Integration System User.
2. Enter a User Name (for example, ISU_SIEM_Export) and a strong Password.
3. Clear the Require New Password at Next Sign In checkbox.
4. Click OK.
5. Search for Create Security Group and create an Integration System Security Group (Unconstrained).
6. Add the ISU (ISU_SIEM_Export) to this security group.
7. Search for View Domain and locate the User Activity Logging domain. Grant Get access to the ISU security group for this domain.
8. Search for Activate Pending Security Policy Changes and activate the changes.

1. In the Workday search bar, search for Register API Client for Integrations.
2. Enter a Client Name (for example, SIEM_OAuth_Client).
3. Select the Non-Expiring Refresh Tokens option.
4. Add the scope: System (or the scope required for User Activity Logging API).
5. Click OK.
6. Copy and save the following details in a secure location:
   • Client ID: The API client identifier.
   • Client Secret: The API client secret.
7. Search for Manage Refresh Tokens for Integrations.
8. Select the ISU account (ISU_SIEM_Export).
9. Generate a new refresh token for the API client.
10. Copy and save the Refresh Token.

The API endpoint is based on your Workday tenant. The format is:

Component | Value

Token endpoint | https://HOST/ccx/oauth2/TENANT/token

Activity Logging API | https://HOST/ccx/api/privacy/v1/TENANT/activityLogging

This integration supports both Elastic Agentless-based and Agent-based installations.

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ.

Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

1. In the top search bar in Kibana, search for Integrations.

2. In the search bar, type Workday.

3. Select the Workday integration from the search results.

4. Select Add Workday to add the integration.

5. Enable and configure only the collection methods which you will use.

   • To Collect Workday logs via API, you'll need to:

     • Configure Hostname.
     • Configure Tenant.
     • Configure Client ID.
     • Configure Client Secret.
     • Configure Refresh Token.
     • Adjust the integration configuration parameters if required, including the Interval, Initial Interval, Preserve original event etc. to enable data collection.

6. Select Save and continue to save the integration.

1. In the top search bar in Kibana, search for Dashboards.
2. In the search bar, type Workday.
3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

For help with Elastic ingest tools, check Common problems.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

{
    "@timestamp": "2026-04-02T12:46:18.012Z",
    "agent": {
        "ephemeral_id": "56b15ab2-aac3-4167-a87e-300667f9c510",
        "id": "49c06832-6dd8-4eea-8c9d-702a4bcee941",
        "name": "elastic-agent-15161",
        "type": "filebeat",
        "version": "8.18.0"
    },
    "data_stream": {
        "dataset": "workday.activity",
        "namespace": "58781",
        "type": "logs"
    },
    "device": {
        "type": "desktop"
    },
    "ecs": {
        "version": "9.3.0"
    },
    "elastic_agent": {
        "id": "49c06832-6dd8-4eea-8c9d-702a4bcee941",
        "snapshot": false,
        "version": "8.18.0"
    },
    "event": {
        "action": "read",
        "agent_id_status": "verified",
        "category": [
            "iam"
        ],
        "dataset": "workday.activity",
        "ingested": "2026-06-05T11:40:39Z",
        "kind": "event",
        "original": "{\"activityAction\":\"READ\",\"deviceType\":\"Desktop\",\"ipAddress\":\"127.0.0.1\",\"requestTime\":\"2026-04-02T12:46:18.012Z\",\"sessionId\":\"c7c6ff\",\"systemAccount\":\"wd-implementer\",\"taskDisplayName\":\"privacy/activityLogging/userActivity (GET) (v1 -  )\",\"taskId\":\"e67b812850dc100047be196f396d745f\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\"}",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "cel"
    },
    "related": {
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "wd-implementer"
        ]
    },
    "source": {
        "ip": "127.0.0.1"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "workday-activity"
    ],
    "user": {
        "name": "wd-implementer"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Chrome",
        "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36",
        "os": {
            "full": "Windows 10",
            "name": "Windows",
            "version": "10"
        },
        "version": "146.0.0.0"
    },
    "workday": {
        "activity": {
            "activity_action": "READ",
            "session_id": "c7c6ff",
            "task_display_name": "privacy/activityLogging/userActivity (GET) (v1 -  )",
            "task_id": "e67b812850dc100047be196f396d745f"
        }
    }
}
		

These input is used in the integration:

• CEL

This integration uses the following Workday API:

Activity: Workday Activity API documentation.

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×