Collect Workday audit logs

This document explains how to ingest Workday audit logs to Google Security Operations using AWS S3. The parser first identifies the specific event type from the logs based on pattern analysis of the CSV data. Then, it extracts and structures relevant fields according to the identified type, mapping them to a unified data model (UDM) for consistent security analysis.

Before you begin

Make sure you have the following prerequisites:

• Google SecOps instance
• Privileged access to AWS
• Privileged access to Workday

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucket following this user guide: Creating a bucket.
2. Save bucket Name and Region for future reference (for example, workday-audit-logs).
3. Create a User following this user guide: Creating an IAM user.
4. Select the created User.
5. Select Security credentials tab.
6. Click Create Access Key in section Access Keys.
7. Select Third-party service as Use case.
8. Click Next.
9. Optional: Add description tag.
10. Click Create access key.
11. Click Download CSV file for save the Access Key and Secret Access Key for future reference.
12. Click Done.
13. Select Permissions tab.
14. Click Add permissions in section Permissions policies.
15. Select Add permissions.
16. Select Attach policies directly.
17. Search for and select the AmazonS3FullAccess policy.
18. Click Next.
19. Click Add permissions.

Create Workday Integration System User (ISU)

1. In Workday, search for Create Integration System User > OK.
2. Fill in the User Name (for example, audit_s3_user).
3. Click OK.
4. Reset the password by going to Related Actions > Security > Reset Password.
5. Select Maintain Password Rules to prevent the password from expiring.
6. Search for Create Security Group > Integration System Security Group (Unconstrained).
7. Provide a name (for example, ISU_Audit_S3) and add the ISU to Integration System Users.
8. Search for Domain Security Policies for Functional Area > System.
9. For Audit Trail, select Actions > Edit Permissions.
10. Under Get Only, add the ISU_Audit_S3 group.
11. Click OK > Activate Pending Security Policy Changes.

Configure Workday Custom Report

1. In Workday, search Create Custom Report.
2. Provide the following configuration details:
   • Name: Enter a unique name (for example, Audit_Trail_BP_JSON).
   • Type: Select Advanced.
   • Data Source: Select Audit Trail – Business Process.
   • Click OK.
   • Optional: Add filters on Business Process Type or Effective Date.
3. Go to Output tab.
4. Select Enable as Web Service, Optimized for Performance and select JSON Format.
5. Click OK > Done.
6. Open the report and click Share > add ISU_Audit_S3 with View permission > OK.
7. Go to Related Actions > Web Service > View URLs.
8. Copy the JSON URL (for example, https://wd-services1.workday.com/ccx/service/customreport2/<tenant>/<user>/Audit_Trail_BP_JSON?format=json).

Configure the IAM policy and role for S3 uploads

1. Policy JSON (replace workday-audit-logs if you entered a different bucket name):

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "AllowPutWorkdayObjects",
         "Effect": "Allow",
         "Action": "s3:PutObject",
         "Resource": "arn:aws:s3:::workday-audit-logs/*"
       }
     ]
   }
   

2. Go to AWS console > IAM > Policies > Create policy > JSON tab.

3. Copy and paste the policy.

4. Click Next > Create policy.

5. Go to IAM > Roles > Create role > AWS service > Lambda.

6. Attach the newly created policy.

7. Name the role WriteWorkdayToS3Role and click Create role.

Create the Lambda function

1. After the function is created, open the Code tab, delete the stub and paste the code below (workday_audit_to_s3.py).

   #!/usr/bin/env python3
   
   import os, json, gzip, io, uuid, base64, datetime as dt, urllib.request, urllib.error
   import boto3
   
   WD_USER   = os.environ["WD_USER"]
   WD_PASS   = os.environ["WD_PASS"]
   WD_URL    = os.environ["WD_URL"]
   S3_BUCKET = os.environ["S3_BUCKET_NAME"]
   
   def fetch_report() -> bytes:
       credentials = f"{WD_USER}:{WD_PASS}".encode()
       auth_header = b"Basic " + base64.b64encode(credentials)
       req = urllib.request.Request(WD_URL, headers={"Authorization": auth_header.decode()})
       with urllib.request.urlopen(req, timeout=30) as r:
           return r.read()  # raw JSON bytes
   
   def upload(payload: bytes, ts: dt.datetime) -> None:
       key = f"{ts:%Y/%m/%d}/workday-audit-{uuid.uuid4()}.json.gz"
       buf = io.BytesIO()
       with gzip.GzipFile(fileobj=buf, mode="w") as gz:
           gz.write(payload)
       buf.seek(0)
       boto3.client("s3").upload_fileobj(buf, S3_BUCKET, key)
   
   def lambda_handler(event=None, context=None):
       now = dt.datetime.utcnow().replace(microsecond=0)
       data = fetch_report()
       upload(data, now)
       print(f"Uploaded Workday audit report ({len(data)} bytes raw)")
   
   if __name__ == "__main__":
       lambda_handler()
   

2. Go to Configuration > Environment variables > Edit > Add new environment variable.

3. Enter the following environment variables, replacing with your value.

   Environment variables

   Key	Example Values
   WD_USER	audit_s3_user
   WD_PASS	Wrokday-Password
   WD_URL	https://.../Audit_Trail_BP_JSON?format=json
   S3_BUCKET_NAME	workday-audit-logs

4. After the function is created, stay on its page (or open Lambda > Functions > your‑function).

5. Select the Configuration tab.

6. In the General configuration panel click Edit.

7. Change Timeout to 5 minutes (300 seconds) and click Save.

Schedule the Lambda function (EventBridge Scheduler)

1. Go to Configuration > Triggers > Add trigger > EventBridge Scheduler > Create rule.
2. Provide the following configuration details:
   • Name: daily-workday-audit export.
   • Schedule pattern: Cron expression.
   • Expression: 20 2 * * ? * (runs daily at 02:20 UTC).
3. Leave the rest as default and click Create.

Configure a feed in Google SecOps to ingest Workday Audit logs

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. In the Feed name field, enter a name for the feed (for example, Workday Audit Logs).
4. Select Amazon S3 V2 as the Source type.
5. Select Workday Audit as the Log type.
6. Click Get A Service Account.
7. Click Next.
8. Specify values for the following input parameters:
   • S3 URI: The bucket URI
     • s3://workday-audit-logs/.
       • Replace workday-audit-logs with the actual name of the bucket.
   • Source deletion options: Select deletion option according to your preference.
   • Maximum File Age: Include files modified in the last number of days. Default is 180 Days.
   • Access Key ID: User access key with access to the s3 bucket.
   • Secret Access Key: User secret key with access to the s3 bucket.
   • Asset namespace: The asset namespace.
   • Ingestion labels: The label to be applied to the events from this feed.
9. Click Next.
10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.