Workday Modeling Rule

Modeling Rule

Workday

Details

IDWorkday_Workday_ModelingRule
From Version8.3.0
Tagsworkday

Rules (XIF)

[MODEL: dataset=workday_activity_raw]
alter
    src_ip_v4 = if(ipAddress !~= ":", ipAddress, null),
    src_ip_v6 = if(ipAddress ~= ":", ipAddress, null)
| alter 
    xdm.source.user.username = systemAccount,
    xdm.observer.action = activityAction,
    xdm.source.user_agent = userAgent,
    xdm.event.id = taskId,
    xdm.source.host.device_category = deviceType,
    xdm.source.ipv4 = src_ip_v4,
    xdm.source.ipv6 = src_ip_v6,
    xdm.session_context_id = sessionId,
    xdm.event.operation_sub_type = taskDisplayName
| alter
    xdm.source.user.identifier = json_extract_scalar(`target`, "$.id"),
    xdm.target.host.device_category = json_extract_scalar(`target`, "$.descriptor"),
    xdm.target.url = json_extract_scalar(`target`, "$.href");

[MODEL: dataset=workday_signon_raw]
alter 
    // define util constants
    boolean_true = to_boolean("TRUE"),
    boolean_false = to_boolean("FALSE"),
    
    // add labels for enriching event description according to the boolean flags
    sigon_successful_label = if(to_string(Successful) = "1", "Signon was successful.", to_string(Successful) = "0", "Signon was unsuccessful.", lowercase(to_string(Successful)) = "true", "Signon was successful.", lowercase(to_string(Successful)) = "false", "Signon was unsuccessful."),
    account_disabled_or_expired_label = if(to_string(Account_Disabled_or_Expired) = "1", "Account is disabled or expired.", lowercase(to_string(Account_Disabled_or_Expired)) = "true", "Account is disabled or expired."),
    device_trusted_label = if(to_string(Device_is_Trusted) = "1", "Sign on is from a trusted device.", lowercase(to_string(Device_is_Trusted)) = "true", "Sign on is from a trusted device."),
    failed_signon_label = if(to_string(Failed_Signon) = "1", "An invalid password was supplied for the Signon attempt.", lowercase(to_string(Failed_Signon)) = "true", "An invalid password was supplied for the Signon attempt."),
    invalid_credentials_label = if(to_string(Invalid_Credentials) = "1", "User provided invalid credentials.", lowercase(to_string(Invalid_Credentials)) = "true", "User provided invalid credentials."),
    invalid_auth_channel_label = if(to_string(Invalid_for_Authentication_Channel) = "1", "Invalid for authentication channel.", lowercase(to_string(Invalid_for_Authentication_Channel)) = "true", "Invalid for authentication channel."),
    invalid_auth_policy_label = if(to_string(Invalid_for_Authentication_Policy) = "1", "Invalid for authentication policy.", lowercase(to_string(Invalid_for_Authentication_Policy)) = "true", "Invalid for authentication policy."),
    mfa_required_label = if(to_string(Requires_MFA) = "1", "MFA is required.", lowercase(to_string(Requires_MFA)) = "true", "MFA is required."),
    mfa_has_grace_label = if(to_string(Has_Grace_Period_for_MFA) = "1", "MFA has a grace period.", lowercase(to_string(Has_Grace_Period_for_MFA)) = "true", "MFA has a grace period."),
    mfa_auth_exempt_label = if(to_string(MFA_Authentication_Exempt) = "1", "MFA authentication is exempted.", lowercase(to_string(MFA_Authentication_Exempt)) = "true", "MFA authentication is exempted."),
    mfa_enrollment_label = if(to_string(MFA_Enrollment) = "1", "User is enrolled in MFA.", lowercase(to_string(MFA_Enrollment)) = "true", "User is enrolled in MFA."),
    password_change_required_label = if(to_string(Required_Password_Change) = "1", "Password change required.", lowercase(to_string(Required_Password_Change)) = "true", "Password change required."),
    password_reset_label = if(to_string(Forgotten_Password_Reset_Request) = "1", "A request was made to reset the password in the Signon attempt.", lowercase(to_string(Forgotten_Password_Reset_Request)) = "true", "A request was made to reset the password in the Signon attempt."),
    password_changed_label = if(to_string(Password_Changed) = "1", "The password was changed after the signon.", lowercase(to_string(Password_Changed)) = "true", "The password was changed after the signon."),
    read_only_label = if(to_string(Tenant_Access_Read_Only) = "1", "Read only Access is enabled for the signon.", lowercase(to_string(Tenant_Access_Read_Only)) = "true", "Read only Access is enabled for the signon.")
| alter
    // init useful flags & extract nested json properties 
    device_type_reference_id = Device_Type_Reference -> ID, 
    is_account_disabled = if(to_string(Account_Disabled_or_Expired) = "1", boolean_true, to_string(Account_Disabled_or_Expired) = "0", boolean_false, lowercase(to_string(Account_Disabled_or_Expired)) = "true", boolean_true, lowercase(to_string(Account_Disabled_or_Expired)) = "false", boolean_false),
    is_mfa_needed = if(to_string(Requires_MFA) = "1", boolean_true, to_string(Requires_MFA) = "0", boolean_false, lowercase(to_string(Requires_MFA)) = "true", boolean_true, lowercase(to_string(Requires_MFA)) = "false", boolean_false),
    is_password_change_required = if(to_string(Required_Password_Change) = "1", boolean_true, to_string(Required_Password_Change) = "0", boolean_false, lowercase(to_string(Required_Password_Change)) = "true", boolean_true, lowercase(to_string(Required_Password_Change)) = "false", boolean_false),
    is_sign_on_successful = if(to_string(Successful) = "1", boolean_true, to_string(Successful) = "0", boolean_false, lowercase(to_string(Successful)) = "true", boolean_true, lowercase(to_string(Successful)) = "false", boolean_false),
    mfa_authentication_type_id = Multi_Factor_Authentication_Type_Reference -> ID,
    os = lowercase(Operating_System),
    saml_identity_provider_id = SAML_Identity_Provider_Reference -> ID, 
    src_ipv4 = if(Signon_IP_Address ~= "\.", Signon_IP_Address),
    src_ipv6 = if(Signon_IP_Address ~= ":", Signon_IP_Address), 
    event_labels = arraycreate(sigon_successful_label, account_disabled_or_expired_label, device_trusted_label, failed_signon_label, invalid_credentials_label, invalid_auth_channel_label, invalid_auth_policy_label, mfa_required_label, mfa_has_grace_label, mfa_auth_exempt_label, mfa_enrollment_label, password_change_required_label, password_reset_label, password_changed_label, read_only_label)
| alter
    // map fields
    xdm.auth.auth_method = Authentication_Type,
    xdm.auth.is_mfa_needed = is_mfa_needed,
    xdm.auth.mfa.method = mfa_authentication_type_id, 
    xdm.auth.mfa.provider = if(to_string(MFA_Enrollment) = "1", saml_identity_provider_id, lowercase(to_string(MFA_Enrollment)) = "true", saml_identity_provider_id),
    xdm.event.type = if(is_sign_on_successful, "Successful Signon", is_sign_on_successful = false, "Signon Failure", "Signon"),
    xdm.event.description = arraystring(event_labels, " "),
    xdm.event.outcome = if(is_sign_on_successful, XDM_CONST.OUTCOME_SUCCESS, is_sign_on_successful = boolean_false, XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.outcome_reason = Authentication_Failure_Message, 
    xdm.logon.type = Authentication_Channel, 
    xdm.network.session_id = Short_Session_ID,
    xdm.network.tls.protocol_version = TLS_Version, 
    xdm.observer.unique_identifier = API_Client_ID,
    xdm.source.host.device_id = device_type_reference_id, 
    xdm.source.host.os = Operating_System, 
    xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, Operating_System),
    xdm.source.ipv4 = src_ipv4,
    xdm.source.ipv6 = src_ipv6, 
    xdm.source.user_agent = Browser_Type,
    xdm.source.user.is_disabled = is_account_disabled,
    xdm.source.user.is_password_expired = is_password_change_required,
    xdm.source.user.username = to_string(User_Name),
    xdm.source.zone = Location;

Schema

workday_activity_raw

Field Type Array?
activityAction string
deviceType string
ipAddress string
requestTime datetime
sessionId string
systemAccount string
target string
taskDisplayName string
taskId string
userAgent string

workday_signon_raw

Field Type Array?
Account_Disabled_or_Expired string
Device_is_Trusted string
Failed_Signon string
Forgotten_Password_Reset_Request string
Has_Grace_Period_for_MFA string
Invalid_Credentials string
Invalid_for_Authentication_Channel string
Invalid_for_Authentication_Policy string
MFA_Authentication_Exempt string
MFA_Enrollment string
Password_Changed string
Required_Password_Change string
Requires_MFA string
Successful string
Tenant_Access_Read_Only string
access_restriction_reference string
api_client_id string
authentication_channel string
authentication_failure_message string
authentication_type string
browser_type string
device_type_reference string
location string
multi_factor_authentication_type_reference string
operating_system string
saml_identity_provider_reference string
short_session_id string
signoff_datetime datetime
signon_datetime datetime
signon_ip_address string
tls_version string
user_name string
Raw JSON
{
    "workday_activity_raw": {
        "systemAccount": {
            "type": "string",
            "is_array": false
        },
        "activityAction": {
            "type": "string",
            "is_array": false
        },
        "userAgent": {
            "type": "string",
            "is_array": false
        },
        "taskId": {
            "type": "string",
            "is_array": false
        },
        "deviceType": {
            "type": "string",
            "is_array": false
        },
        "ipAddress": {
            "type": "string",
            "is_array": false
        },
        "sessionId": {
            "type": "string",
            "is_array": false
        },
        "taskDisplayName": {
            "type": "string",
            "is_array": false
        },
        "target": {
            "type": "string",
            "is_array": false
        },
        "requestTime": {
            "type": "datetime",
            "is_array": false
        }
    },
    "workday_signon_raw": {
        "access_restriction_reference": {
            "type": "string",
            "is_array": false
        },
        "Account_Disabled_or_Expired": {
            "type": "string",
            "is_array": false
        },
        "api_client_id": {
            "type": "string",
            "is_array": false
        },
        "authentication_channel": {
            "type": "string",
            "is_array": false
        },
        "authentication_failure_message": {
            "type": "string",
            "is_array": false
        },
        "authentication_type": {
            "type": "string",
            "is_array": false
        },
        "browser_type": {
            "type": "string",
            "is_array": false
        },
        "Device_is_Trusted": {
            "type": "string",
            "is_array": false
        },
        "device_type_reference": {
            "type": "string",
            "is_array": false
        },
        "Failed_Signon": {
            "type": "string",
            "is_array": false
        },
        "Forgotten_Password_Reset_Request": {
            "type": "string",
            "is_array": false
        },
        "Has_Grace_Period_for_MFA": {
            "type": "string",
            "is_array": false
        },
        "Invalid_for_Authentication_Channel": {
            "type": "string",
            "is_array": false
        },
        "Invalid_for_Authentication_Policy": {
            "type": "string",
            "is_array": false
        },
        "Invalid_Credentials": {
            "type": "string",
            "is_array": false
        },
        "location": {
            "type": "string",
            "is_array": false
        },
        "MFA_Enrollment": {
            "type": "string",
            "is_array": false
        },
        "MFA_Authentication_Exempt": {
            "type": "string",
            "is_array": false
        },
        "multi_factor_authentication_type_reference": {
            "type": "string",
            "is_array": false
        },
        "operating_system": {
            "type": "string",
            "is_array": false
        },
        "Password_Changed": {
            "type": "string",
            "is_array": false
        },
        "Required_Password_Change": {
            "type": "string",
            "is_array": false
        },
        "Requires_MFA": {
            "type": "string",
            "is_array": false
        },
        "saml_identity_provider_reference": {
            "type": "string",
            "is_array": false
        },
        "short_session_id": {
            "type": "string",
            "is_array": false
        },
        "signon_datetime": {
            "type": "datetime",
            "is_array": false
        },
        "signoff_datetime": {
            "type": "datetime",
            "is_array": false
        },
        "signon_ip_address": {
            "type": "string",
            "is_array": false
        },
        "Successful": {
            "type": "string",
            "is_array": false
        },
        "Tenant_Access_Read_Only": {
            "type": "string",
            "is_array": false
        },
        "tls_version": {
            "type": "string",
            "is_array": false
        },
        "user_name": {
            "type": "string",
            "is_array": false
        }
    }
}