Workday Add-on for Splunk

Overview

Details

The Workday Add-on for Splunk® enables you to automatically send a copy of user activity log and signon data from your Workday tenant into your Splunk account. This enables you to use Splunk to parse the log data to monitor for harmful activity in your tenant.

If you enable this functionality, the collected user activity logs will reside outside of Workday.

If you enable this functionality, a copy of your user and signon activity data will reside outside of Workday.

The Workday Add-on for Splunk is available on the Splunkbase site and is not part of the Workday Service. Follow the directions on Splunkbase to license and download the add-on.

Do these steps to set up Workday to send data to Splunk:

Create an Integration System User.
Register the add-on client in your tenant.
Retrieve client values for the add-on.
Enable your tenant to send data to Splunk.
Create Custom Signon Report
If the Workday Add-on for Splunk is not working as expected, please have a Workday Administrator in your organization create a case to receive assistance from Workday Support.

Create an Integration Systems User

Create an Integrations Systems User and the associated Security Group and Policy.

Access the Create Integration System User task.
User Name: Splunk_ISU
Session Timeout Minutes: 0 (disable session expiration)
Do Not Allow UI Sessions: Yes (select this checkbox)
Access the Create Security Group task.
Type of Tenanted Security Group: Integration System Security Group (Unconstrained)
Name: Remote Security Monitoring
Access the Edit Integration System Security Group (Unconstrained) task for the group you just created.
Integration System Users: Splunk_ISU
Access the View Domain task for the domain System Auditing.
Select Domain > Edit Security Policy Permissions from the System Auditing related actions menu. (Note: You may have to select See More>Switch to Full Menu for 10 seconds to see edit Policy Permissions)
Add the group you created, Remote Security Monitoring to both tables:
Report/Task Permissions table: View access
Integration Permissions table: Get access
Access the Activate Pending Security Policy Changes task and activate the changes that you made.
For additional information, see Set Up Integration System User Security in Workday documentation.

Register the Add-on Client in your Tenant

Access the the Register API Client for Integrations task and register the client.
Client Name: Workday Add-on for Splunk
Non-Expiring Refresh Tokens: Yes
Scope: System
For additional information, see Register API Client for Integrations in Workday documentation.

Retrieve Client Values for the Add-on

Access the View API Clients task, select the API Clients for Integrations tab and confirm these settings:
Client Grant Type: Authorization Code Grant
Access Token Type: Bearer
Copy and store these four values (the first two values are at the top of the page):
Workday REST API Endpoint
Token Endpoint
Client ID
Client Secret
Select API Client > Manage Refresh Token for Integrations from the Workday Add-on for Splunk related actions menu.
Workday Account: Splunk_ISU
Select Generate New Refresh Token checkbox, then save that token.
Enter the values you saved into the add-on.

Enable your tenant to send data
1. Access the Edit Tenant Setup - System task and ensure that the Enable User Activity Logging checkbox is selected.
2. Access the Edit Tenant Setup - Security task and ensure that the OAuth 2.0 Clients Enabled checkbox is selected

Create Custom Signon Report
The Custom Signon Report provides information about successful and attempted signons from candidates within Workday. Follow the steps below to configure your Workday tenant to send these reports to Splunk.

Access Copy Standard Report to Custom Report task
Standard Report Name: Candidate Signons and Attempted Signons
Click OK and the next page will pop up
Name: Custom Signons and Attempted Signons Report
Select "Optimized for Performance"
Click OK and the next page will pop up
Data Source Filter: Workday System Account Signons in Range
Under Share tab select "Share with specific authorized groups and users" and add Splunk_ISU to the Authorized Users field
Under Advanced tab scroll to Web Services Options and select "Enable as Web Service"
Under the Columns tab add these fields using the + button:
-Operating System
-Password Changed
-Request Originator
-SAML Identity Provider
-Forgotten Password Reset Request
-Multi-Factor Type
-Is Device Managed
-UI Client Type
-Browser Type
-Device is Trusted
*You may also add other additional fields of interest
Under the Column Heading Override column:
Delete "ID" for field "Session ID"
Delete "Candidate for Candidate Account" for field "System Account"
Click OK
Select Webs Service>URLs from Custom Signons and Attempted Signons Report related
Note: Leave To Moment and From Moment as is. You will configure these parameters in the add-on's configueration
Click OK
Copy URL from JSON link (Right click>Copy URL). The URL should look like this:
https://<workday_hostname>/ccx/service/customreport2/<tenant>/<accountname>/<reportname>/<tomoment>/<frommoment>/<format>/

In the Workday add-on in Splunk:
8. Click on Create New Input > Signon Activity
Store value under Report URL
Delete everything after <reportname>

NOTE: Additional security configurations may be necessary in order to allow the custom report to be accessed by the app. Consult with your Workday administrator to enable the right permissions for the Splunk_ISU.

Release Notes

Version 2.1.0

Feb. 1, 2025

Version 2.1.0:

New feature : Sign-on Activity logs. You can now build a custom report on Workday and retrieve logs using Signon Activity Inputs
More details : https://community-content.workday.com/content/workday-community/en-us/kits-and-tools/products/platform-and-product-extensions/configuration-catalog/workday-add-on-for-splunk.html
Updated Add-on builder build and pythonsdk lib

Version 2.0.0 Highlights:

New Multi-tenant feature : Configure multiple Workday tenants
Each tenant input requires a global account reference from the configuration page
Help page within the app with FAQ's

Version 2.0.3

Jan. 30, 2024

Version 2.0.3:

Update URL validations for Workday Rest Api Endpoint

Version 2.0.2:

Added validations for FEDRAMP Workday tenants
Updated Add-on builder build and pythonsdk lib

Version 2.0.0 Highlights:

New Multi-tenant feature : Configure multiple Workday tenants
Each tenant input requires a global account reference from the configuration page
Help page within the app with FAQ's

Before upgrade to Workday add-on for Splunk version : 2.0.0

Recommended : Install the add-on version 2.0.0 as a new add-on * If we are updating the app, please follow the steps below:
Disable and delete existing input.
(Optional) : Remove any local settings such as passwords.conf
These settings will remain deprecated and unused if not removed under app/local * Record the last timestamp of the event for the given tenant.
Use this timestamp to configure the new input start time

Version 2.0.2

Dec. 5, 2023

Version 2.0.2:

Added validations for FEDRAMP Workday tenants
Updated Add-on builder build and pythonsdk lib

Version 2.0.0 Highlights:

New Multi-tenant feature : Configure multiple Workday tenants
Each tenant input requires a global account reference from the configuration page
Help page within the app with FAQ's

Before upgrade to Workday add-on for Splunk version : 2.0.0

Recommended : Install the add-on version 2.0.0 as a new add-on * If we are updating the app, please follow the steps below:
Disable and delete existing input.
(Optional) : Remove any local settings such as passwords.conf
These settings will remain deprecated and unused if not removed under app/local * Record the last timestamp of the event for the given tenant.
Use this timestamp to configure the new input start time

Version 2.0.1

April 25, 2023

Updated Add-on builder cloud compatibility checks

Version 2.0.0 * New Multi-tenant feature
* Global account feature is enabled. Now you can configure Workday tenants as global accounts * Updated input settings to include an optional start time setting
* Each tenant input requires a global account reference from the configuration page
* Handle timestamp checkpointer per input * Updated validations for configurations and inputs * Updated jquery & pythonsdk lib * Help page within the app with FAQ's

Before upgrade to Workday add-on for Splunk version : 2.0.0 * Recommended : Install the add-on version 2.0.0 as a new add-on * If we are updating the app, please follow the steps below:
* Disable and delete existing input.
* (Optional) : Remove any local settings such as passwords.conf
* These settings will remain deprecated and unused if not removed under app/local * Record the last timestamp of the event for the given tenant.
* Use this timestamp to configure the new input start time

Version 2.0.0

March 27, 2023

New Multi-tenant feature
- Global account feature is enabled. Now you can configure Workday tenants as global accounts
Updated input settings to include an optional start time setting
- Each tenant input requires a global account reference from the configuration page
- Handle timestamp checkpointer per input
Updated validations for configurations and inputs
Updated jquery & pythonsdk lib
Help page within the app with FAQ's

Before upgrade to Workday add-on for Splunk version : 2.0.0
Recommended : Install the add-on version 2.0.0 as a new add-on
If we are updating the app, please follow the steps below:
- Disable and delete existing input.
- (Optional) : Remove any local settings such as passwords.conf
- These settings will remain deprecated and unused if not removed under app/local
Record the last timestamp of the event for the given tenant.
- Use this timestamp to configure the new input start time

Version 1.2.0

May 12, 2022

Performance improvements
- Increase batch size per API call from 100 to 1000
- Up to 75% improvement in performance
- Load testing compared to previous add-on version (1.1.0)
  - Load Tests of up to 54,000 - 70,000 events per minute
  - Capable to index up to 3.5M events per hour
Update jQuery to 3.6.0
Resolve a bug for API time range querying <1 second
Updated app.manifest to version 2.0.0

Version 1.1.0

Feb. 3, 2022

Updated logging api -
- Phased out deprecated /auditLogs api and leveraging the new /activityLogging api
Performance improvements
- Included a parameter (instancesReturned:1) to improve api call efficiency
- Efficiently record events and write to disk based on volume
- Resilient towards interruptions by incrementally saving checkpoints
- Minor performance improvements with updated logging api
Updated add-on with new Splunk add-on builder updates
Load testing compared to previous add-on version (1.0):
- This version of the add-on efficiently pulls events tested up to 12,000 - 15,000 events/minute
- Approximately, 800K events per hour and may vary depending on factors:
  - Volume for the given time range
  - Network latency between Splunk endpoint and Workday tenant
  - Splunk Instance resources
- Average efficiency based on volume of data for a given time range
  - 15% efficient for volume of 10K events

Version 1.0.2

April 21, 2021

Version 1.0.2
- Bug fix : TA_workday_checkpointer incorrectly validating against timestamp after upgrade.

Version 1.0.1
- HTTP proxy fix to add validity

Version 1.0.0
- Splunk version 8.x & Python3 compatibility
- Incrementally ingest data and save time check point
- Optimized thresholds for API limit tolerance
- Verbose DEBUG logging available
- Optimized payload fetch time
- Minor bugs and improvements

7,732

Downloads

Share Subscribe

Version

Built by

Workday

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate

App Contents: Inputs