Ingest Report Data from Workday

Extend Cortex® XDR™ visibility into reports data from Workday.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
To receive Workday report data, you must first configure data collection from Workday using a Workday custom report to ingest the appropriate data. This is configured by setting up a Workday Collector in Cortex® XDR™ and configuring report data collection via this Workday custom report that you set up.
As soon as Cortex XDR begins receiving data, the app automatically creates a Workday XQL dataset (
workday_workday_raw
). You can then use XQL Search queries to view the data and create new Correlation Rules. In addition, Cortex XDR adds the workday fields next to each user in the Key Assets list in the Incident View, and in the User node in the Causality View of Identity Analytics alerts.
Any user with permissions to view alerts and incidents can view the Workday data.
You can only configure a single Workday Collector, which is automatically configured to run the report every 6 hours. You can always use the
Sync Now
option to run the report whenever you want.
Complete the following tasks before you begin configuring Cortex XDR to receive report data from Workday.
  1. Create an Integration System User that is designated to access the custom report from Workday for data collection in Cortex XDR.
  2. Create an Integration System Security Group for the Integration System User created in Step 1 for accessing the report. When setting this group ensure to define the following.
    • Type of Tenanted Security Group
      —Select either
      Integration System Security Group (Constrained)
      or
      Integration System Security Group (Unconstrained)
      depending on how your data is configured. For more information, see the Workday documentation.
    • Integration System User
      —Select the user that you defined in step 1 for accessing the custom report.
  3. Create the Workday credentials for the Integration System User created in Step 1 so that the username and password can be used to access the report in Cortex XDR. Record these credentials as you will need them when configuring the Workday Collector in Cortex XDR.
For more information on completing any of these prerequisite steps, see the Workday documentation.
Configure Cortex XDR to receive report data from Workday.
  1. Configure a Workday custom report to use for data collection.
    1. In search field, specify
      Create Custom Report
      to open the wizard.
    2. Configure the following
      Create Custom Report
      settings.
      • Report Name
        —Specify the name of the report.
      • Report Details
        section.
        • Report Type
          —Select
          Advanced
          . When you select this option, the
          Enable As Web Service
          checkbox is displayed.
        • Enable As Web Service
          —Select this checkbox, so that you will be able to generate a URL of the report to configure in Cortex XDR.
      • Data Source
        section.
        • Optimized for Performance
          —Select whether the data should be optimized for performance. The way this checkbox is configured determines the
          Data Source
          options available to choose from.
        • Date Source
          —Select the applicable data source containing the data that is used to configure data collection from Workday to Cortex XDR.
    3. Click
      OK
      , and configure the following
      Additional Info
      settings.
      The
      Additional Info
      table in the
      Columns
      tab is where you can perform the following:
      • For the incident and card views in Cortex XDR, map the required fields from the
        Data Source
        configured by selecting the applicable
        Field
        that you want to map to the Cortex XDR field name required for data collection in the
        Column Heading Override XML Alias
        column.
      • (
        Optional
        ) You can map any additional fields from the
        Data Source
        configured that you want to be able to query in XQL Search using the
        workday_workday_raw
        dataset. This is configured by selecting the applicable
        Field
        and leaving the default field name that is displayed in the
        Column Heading Override XML Alias
        column. This default field name is what is used in XQL Search and the dataset to view and query the data.
      The
      Business Object
      changes depending on the
      Data Source
      selected.
      For the incident and card views in Cortex XDR, map the following fields in the table by selecting the applicable
      Field
      that contains the data representing the Cortex XDR field name as provided below that should be added to the
      Column Heading Override XML Alias
      . For example, for
      full_name
      , select the applicable
      Field
      from the
      Business Object
      defined that contains the full name of the user and in the
      Column Heading Override XML Alias
      specify
      full_name
      to map the set
      Field
      to the Cortex XDR field name.
      • full_name
      • phone_number
      • mailing_address
      • business_email_address
      • private_email_address
      • position_title
      • department
      • employment_start_date
      • employment_end_date
      • manager
    4. (
      Optional
      ) Filter out any employees that you do not want included in the
      Filter
      tab.
    5. Share access to the report with the designated Integration System User that you created by setting the following settings in the
      Share
      tab.
      • Report Definition Sharing Options
        —Select
        Share with specific authorized groups and users
        .
      • Authorized Users
        —Select the designated Integration System User that you created for accessing the custom report.
    6. Ensure that the following
      Web Services Options
      settings in the
      Advanced
      tab are configured.
      Here is an example of the configured settings, where the
      Web Service API Version
      and
      Namespace
      are automatically populated and dependent on your report.
    7. (
      Optional
      )
      Test
      the report to ensure all the fields are populated.
    8. Get the URL for the report.
      1. In the related actions menu, select
        Actions
        Web Service
        View URLs
        .
      2. Click
        OK
        .
      3. Scroll down to the
        JSON
        section.
      4. Hover over the
        JSON
        link and click the icon, which open a new tab in your browser with the URL for the report. You need to use the designated user credentials to open the report.
      5. Copy the URL for the report and record them somewhere as this URL needs to be provided when setting up the Workday Collector in Cortex XDR.
    9. Complete the report by clicking
      Done
      .
  2. Configure the Workday collection in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the Workday Collector configuration, click the
      here
      link to begin a new configuration.
    3. Set the following parameters.
      • Name
        —Specify the name for the Workday Collector that is displayed in Cortex XDR.
      • URL
        —Specify the URL of the custom report you configured in Workday.
      • User Name
        —Specify the username for the designated Integration System User that you created for accessing the custom report in Workday.
      • Password
        —Specify the password for the designated Integration System User that you created for accessing the custom report in Workday.
    4. Click
      Test
      to validate access, and then click
      Enable
      .
      A notification appears confirming that the Workday Collector was saved successfully, and closes on its own after a few seconds.
      Once report data starts to come in, a green check mark appears underneath the
      Workday
      Collector configuration with the data and time that the data was last synced.
  3. (
    Optional
    ) Manage your Workday Collector.
    After you enable the Workday Collector, you can make additional changes as needed. To modify a configuration, select any of the following options.
    • Edit
      the Workday Collector settings.
    • Disable
      the Workday Collector.
    • Delete
      the Workday Collector.
    • Sync Now
      to run the report to get the latest report data. The report is run automatically every 6 hours, but you can always get the latest data as needed.
  4. After Cortex XDR begins receiving report data from Workday, you can use the XQL Search to search for logs in the new dataset (
    workday_workday_raw
    ).

Recommended For You