Workday Enterprise Suite (Workday Report API via Generic HTTPS Poller)
Workday has a flexible reports service that lets Workday users define columns and details around report parameters. These reports can then be executed against data in the Workday UI. These reports are also available using a REST API web service in the following format:
https://wd2-impl-services1.workday.com/ccx/service/customreport2/<tenantId_here>/<username_here>/<report_name_here>
For example:
https://wd2‑impl‑services1.workday.com/ccx/service/customreport2/MyCustomTenant/ExampleReportUser/UserListReport
URL Component |
Description |
---|---|
wd2-impl-services1.workday.com | Hostname of report API |
MyCustomTenant | The workday tenant name |
ExampleReportUser | The Workday username of the user who owns the custom reports |
UserListReport | The report name as defined in Workday UI |
Note: The reports exposed via API being discussed here are from the Workday UI, and should not be confused with FortiSIEM reports.
When Workday users have crafted reports, these reports can be exported in Excel representations of that reports setup, so it can be recreated in other tenants. The FortiSIEM team has generated a set of Excel representations of common Workday reports that can be properly parsed by FortiSIEM.
Please download the following Excel spreadsheets and repeat the input options in your Workday tenant to create your reports. Also, ensure that the authorized user
account FortiSIEM needs to retrieve the report is either the owner of the report, or authorized to execute/view it.
Contact your Workday solutions support team if you have issues generating the Workday reports. Workday customers have access to detailed documentation on setting up a
report and exposing it via API. The defined excel documents here represent all the GUI options prompted for the setup of each standard report.
FortiSIEM makes use of the "Generic HTTPS Poller" in FortiSIEM 6.6.0 and later to integrate with the Workday Reports API.
For more information on this type of integration, see Generic Log API Poller (HTTPS Advanced) Integration in the Appendix.
General Steps
For this integration, you will be taking the following general steps.
- Define Workday user account with basic authentication for your tenant.
- Define Reports in Workday UI and enable them as a web service (allow them to be retrieved via API). Follow the excel representations of each report linked in this guide.
- Configure FortiSIEM's Generic Log API Poller (Credential type HTTPS ADVANCED under Access Protocols in FortiSIEM Credential configuration).
- Test connectivity to Reports API and confirm events are ingested.
- Define any Rules or Reports as desired.
Configuration
Setup in Workday
Take the following steps from Workday
Creating a Workday User Account
- Login to Workday.
- Create a Workday user account.
- In the Label field, enter the unique name of the account.
- In the Username field, enter the username of the account.
- In the Password field, enter the password associated with the username.
- In the Tenant field, enter the Workday tenant.
- In the Host field, enter the hostname.
- In the Version field, enter the Workday version.
- Use the Excel spreadsheets to re-create the settings from your own Workday tenant.
Setup in FortiSIEM
To configure a FortiSIEM credential, take the following steps.
Note: A unique credential is required for each report endpoint. So in this situation, 9 credentials (one for each report) will need to be created.
FortiSIEM provides support by default for the following standard reports:
Report |
Description |
---|---|
BusinessProcesses | List of all business processes (not time series data) |
Domain_SecurableItems |
List of domain securable items |
Domains | List of all domains (not time series data) |
FunctionalAreas |
List of all functional areas (not time series data) |
Organizations | List of all organizations in a tenant (not time series data) |
SecurityGroups | List of all security groups (not time series data) |
SecurityGroup_Details | List of details for security groups (not time series data) |
SystemAccountSignons | Audit logon history for a given time interval (This is time series audit log data) |
Users | List of users and their status of active/inactive (not time series data) |
You can define any number of custom reports, but you will have to extend the WorkdayParser to handle new fields and eventTypes. Consult the parser training course/documentation or professional services for more information.
- Login to FortiSIEM GUI.
- Navigate to ADMIN > Setup > Credentials.
- Under Step 1: Enter Credentials, click New.
- In the Access Method Definition window, take the following steps.
- .In the Name field, enter a name for the credential representing the API endpoint, for example, "Workday_<Workday_Report>".
- From the Device Type drop-down list, select Workday Enterprise Suite.
- Ensure the Access Protocol drop-down list has HTTPS Advanced selected. If it does not, select it from the drop-down list.
- In the Pull Interval field, set the pull interval. The default is 5 minutes.
- Click the Edit icon in the General Parameters row.
- In the Host Name field, enter the Workday report API hostname. This will likely be "wd2-impl-services1.workday.com".
- In the URI Stem field, replace the "<XXXX_here>" information with your report API endpoint information, following this format.
/ccx/service/customreport2/<tenantId_here>/<username_here>/<report_name> - From the HTTP Method drop-down list, select GET.
- In the Log Header field, enter "Workday_HTTP_API <Report_Entry>:"
- Click OK.
Note: The other options in General Parameters do not need to be checked.
- Click on the Edit icon in the Authentication Parameters row.
- In the User Name field, enter the Workday user's username that owns the reports, or has access to the reports.
- In the Password field, enter the password associated with the Workday username.
- In the Confirm Password field, re-enter the password associated with the Workday username.
- Click OK.
- Click on the Edit icon in the Log API Parameters row.
- Configure the Log API. For information, see Log API Configuration in Generic Log API Poller (HTTPS Advanced) Integration.
Note: A full walkthrough example using SystemAccountSignons is available to view to see how the API parametersfrom_Moment
andto_Moment
should be configured.
- Configure the Log API. For information, see Log API Configuration in Generic Log API Poller (HTTPS Advanced) Integration.
- Click Save.
- Under Step 2: Enter IP Range to Credential Associations, click New.
- From the Credentials drop-down list, select the Credentials you just created. The IP/Host Name field will auto-populate.
- Verify that the IP/Host Name field information is correct.
- Click Save.
- Select the Workday credential, click the Test drop-down list, and select Test Connectivity without Ping to start the polling job.
- From the top horizontal tab selection, click Pull Events to verify job. You should see a yellow star symbol next to the new polling job. If the pull interval was left at its 5 minutes default, it should take approximately 5 minutes for the first job to execute. Afterwards, a green checkbox will appear instead of a yellow star.
- Click ANALYTICS, and run a query such as EventType CONTAIN Workday-.
- Select the Edit Filters and Time Range... field
- Under Filter, select Event Attribute.
- Under Attribute, select/enter Event Type.
- From the Operator drop-down list, select CONTAIN.
- Under VALUE, enter "Workday-".
- Click Apply & Run.
Walkthrough Example using SystemAccountSignons
There are two major categories of logging APIs:
-
Those with time-series data, where we have to specify a time range in the API Query
-
Non time-series reporting data, e.g. a list of users
In the case of SystemAccountSignons, although it offers a complete list of signons since the beginning of time of the initial poll interval, we can configure it so it only provides the signons from the given poll interval.
To configure this, you need to understand that in the standard report defined in Workday called SystemAccountSignons, it has time range arguments called from_Moment and to_Moment. These are populated by FortiSIEM using the following template, called Workday-SystemAccountSignongs_https_advanced_definition.json, which is available for download here.
We will use this JSON config template shortly. Take the following steps:
- Login to FortiSIEM GUI.
- Navigate to ADMIN > Setup > Credentials.
- Under Step 1: Enter Credentials, click New.
- In the Access Method Definition window, take the following steps.
- .In the Name field, enter a name for the credential representing the API endpoint, for example, "Workday_SystemAccountSignons".
- From the Device Type drop-down list, select Workday Enterprise Suite.
- Ensure the Access Protocol drop-down list has HTTPS Advanced selected. If it does not, select it from the drop-down list.
- In the Pull Interval field, set the pull interval. The default is 5 minutes.
- Click Import Definition the in the lower left part of the Access Method Definition window.
- Select the file Workday-SystemAccountSignongs_https_advanced_definition.json, and when prompted with the message "Definition will be overwritten, continue?", click Yes.
At this point, several parameters will be auto-filled, but some additional configuration is required. - Click the Edit icon in the General Parameters row.
- In the Host Name field, enter the Workday report API hostname if it is different than wd2-impl-services1.workday.com.
- In the URI Stem field, replace the "<XXXX_here>" information with your report API endpoint information, following this format.
/ccx/service/customreport2/<tenantId_here>/<username_here>/FN_SystemAccountSignons - Click OK.
Note: The other options in General Parameters do not need to be checked.
- Click on the Edit icon in the Authentication Parameters row.
- In the User Name field, enter the Workday user's username that owns the reports, or has access to the reports.
- In the Password field, enter the password associated with the Workday username.
- In the Confirm Password field, re-enter the password associated with the Workday username.
- Click OK.
- Click Save.
Note: The log API parameters have already been auto-filled for time series polling using the API parameters from_Moment and to_Moment for SystemAccountSignons API report in Log API Parameters.
- Under Step 2: Enter IP Range to Credential Associations, click New.
- From the Credentials drop-down list, select the Credentials you just created. The IP/Host Name field will auto-populate.
- Verify that the IP/Host Name field information is correct.
- Click Save.
- Select the Workday credential, click the Test drop-down list, and select Test Connectivity without Ping to start the polling job.
- From the top horizontal tab selection, click Pull Events to verify job. You should see a yellow star symbol next to the new polling job. If the pull interval was left at its 5 minutes default, it should take approximately 5 minutes for the first job to execute. Afterwards, a green checkbox will appear instead of a yellow star.
- Click ANALYTICS, and run a query such as EventType CONTAIN Workday-.
- Select the Edit Filters and Time Range... field
- Under Filter, select Event Attribute.
- Under Attribute, select/enter Event Type.
- From the Operator drop-down list, select CONTAIN.
- Under VALUE, enter "Workday-".
- Click Apply & Run.
Walkthrough Example using Users (Workday Report)
Users uses the exact same process for setting up a credential that SystemAccountSignons does, except the template does not need any time-series configuration (There are no API arguments for time, a full list of attributes is pulled each time).
Download the Workday Users Report Excel definition here.
Download the FortiSIEM Credential Definition json file for Workday Users, WorkdaySystem-Users_https_advanced_definition.json, here.
- Login to FortiSIEM GUI.
- Navigate to ADMIN > Setup > Credentials.
- Under Step 1: Enter Credentials, click New.
- In the Access Method Definition window, take the following steps.
- .In the Name field, enter a name for the credential representing the API endpoint, for example, "Workday_System-Users".
- From the Device Type drop-down list, select Workday Enterprise Suite.
- Ensure the Access Protocol drop-down list has HTTPS Advanced selected. If it does not, select it from the drop-down list.
- In the Pull Interval field, set the pull interval. The default is 5 minutes.
- Click Import Definition the in the lower left part of the Access Method Definition window.
- Select the file WorkdaySystem-Users_https_advanced_definition.json, and when prompted with the message "Definition will be overwritten, continue?", click Yes.
At this point, several parameters will be auto-filled, but some additional configuration is required. - Click the Edit icon in the General Parameters row.
- In the Host Name field, enter the Workday report API hostname if it is different than wd2-impl-services1.workday.com.
- In the URI Stem field, replace the "<XXXX_here>" information with your report API endpoint information, following this format.
/ccx/service/customreport2/<tenantId_here>/<username_here>/FN_Users - Click OK.
Note: The other options in General Parameters do not need to be checked.
- Click on the Edit icon in the Authentication Parameters row.
- In the User Name field, enter the Workday user's username that owns the reports, or has access to the reports.
- In the Password field, enter the password associated with the Workday username.
- In the Confirm Password field, re-enter the password associated with the Workday username.
- Click OK.
- Click Save.
- Under Step 2: Enter IP Range to Credential Associations, click New.
- From the Credentials drop-down list, select the Credentials you just created. The IP/Host Name field will auto-populate.
- Verify that the IP/Host Name field information is correct.
- Click Save.
- Select the Workday credential, click the Test drop-down list, and select Test Connectivity without Ping to start the polling job.
- From the top horizontal tab selection, click Pull Events to verify job. You should see a yellow star symbol next to the new polling job. If the pull interval was left at its 5 minutes default, it should take approximately 5 minutes for the first job to execute. Afterwards, a green checkbox will appear instead of a yellow star.
- Click ANALYTICS, and run a query such as EventType CONTAIN Workday-.
- Select the Edit Filters and Time Range... field
- Under Filter, select Event Attribute.
- Under Attribute, select/enter Event Type.
- From the Operator drop-down list, select CONTAIN.
- Under VALUE, enter "Workday-".
- Click Apply & Run.