Rules (XIF)
[MODEL: dataset=workday_activity_raw]
alter
src_ip_v4 = if(ipAddress !~= ":", ipAddress, null),
src_ip_v6 = if(ipAddress ~= ":", ipAddress, null)
| alter
xdm.source.user.username = systemAccount,
xdm.observer.action = activityAction,
xdm.source.user_agent = userAgent,
xdm.event.id = taskId,
xdm.source.host.device_category = deviceType,
xdm.source.ipv4 = src_ip_v4,
xdm.source.ipv6 = src_ip_v6,
xdm.session_context_id = sessionId,
xdm.event.operation_sub_type = taskDisplayName
| alter
xdm.source.user.identifier = json_extract_scalar(`target`, "$.id"),
xdm.target.host.device_category = json_extract_scalar(`target`, "$.descriptor"),
xdm.target.url = json_extract_scalar(`target`, "$.href");
[MODEL: dataset=workday_signon_raw]
alter
// define util constants
boolean_true = to_boolean("TRUE"),
boolean_false = to_boolean("FALSE"),
// add labels for enriching event description according to the boolean flags
sigon_successful_label = if(to_string(Successful) = "1", "Signon was successful.", to_string(Successful) = "0", "Signon was unsuccessful.", lowercase(to_string(Successful)) = "true", "Signon was successful.", lowercase(to_string(Successful)) = "false", "Signon was unsuccessful."),
account_disabled_or_expired_label = if(to_string(Account_Disabled_or_Expired) = "1", "Account is disabled or expired.", lowercase(to_string(Account_Disabled_or_Expired)) = "true", "Account is disabled or expired."),
device_trusted_label = if(to_string(Device_is_Trusted) = "1", "Sign on is from a trusted device.", lowercase(to_string(Device_is_Trusted)) = "true", "Sign on is from a trusted device."),
failed_signon_label = if(to_string(Failed_Signon) = "1", "An invalid password was supplied for the Signon attempt.", lowercase(to_string(Failed_Signon)) = "true", "An invalid password was supplied for the Signon attempt."),
invalid_credentials_label = if(to_string(Invalid_Credentials) = "1", "User provided invalid credentials.", lowercase(to_string(Invalid_Credentials)) = "true", "User provided invalid credentials."),
invalid_auth_channel_label = if(to_string(Invalid_for_Authentication_Channel) = "1", "Invalid for authentication channel.", lowercase(to_string(Invalid_for_Authentication_Channel)) = "true", "Invalid for authentication channel."),
invalid_auth_policy_label = if(to_string(Invalid_for_Authentication_Policy) = "1", "Invalid for authentication policy.", lowercase(to_string(Invalid_for_Authentication_Policy)) = "true", "Invalid for authentication policy."),
mfa_required_label = if(to_string(Requires_MFA) = "1", "MFA is required.", lowercase(to_string(Requires_MFA)) = "true", "MFA is required."),
mfa_has_grace_label = if(to_string(Has_Grace_Period_for_MFA) = "1", "MFA has a grace period.", lowercase(to_string(Has_Grace_Period_for_MFA)) = "true", "MFA has a grace period."),
mfa_auth_exempt_label = if(to_string(MFA_Authentication_Exempt) = "1", "MFA authentication is exempted.", lowercase(to_string(MFA_Authentication_Exempt)) = "true", "MFA authentication is exempted."),
mfa_enrollment_label = if(to_string(MFA_Enrollment) = "1", "User is enrolled in MFA.", lowercase(to_string(MFA_Enrollment)) = "true", "User is enrolled in MFA."),
password_change_required_label = if(to_string(Required_Password_Change) = "1", "Password change required.", lowercase(to_string(Required_Password_Change)) = "true", "Password change required."),
password_reset_label = if(to_string(Forgotten_Password_Reset_Request) = "1", "A request was made to reset the password in the Signon attempt.", lowercase(to_string(Forgotten_Password_Reset_Request)) = "true", "A request was made to reset the password in the Signon attempt."),
password_changed_label = if(to_string(Password_Changed) = "1", "The password was changed after the signon.", lowercase(to_string(Password_Changed)) = "true", "The password was changed after the signon."),
read_only_label = if(to_string(Tenant_Access_Read_Only) = "1", "Read only Access is enabled for the signon.", lowercase(to_string(Tenant_Access_Read_Only)) = "true", "Read only Access is enabled for the signon.")
| alter
// init useful flags & extract nested json properties
device_type_reference_id = Device_Type_Reference -> ID,
is_account_disabled = if(to_string(Account_Disabled_or_Expired) = "1", boolean_true, to_string(Account_Disabled_or_Expired) = "0", boolean_false, lowercase(to_string(Account_Disabled_or_Expired)) = "true", boolean_true, lowercase(to_string(Account_Disabled_or_Expired)) = "false", boolean_false),
is_mfa_needed = if(to_string(Requires_MFA) = "1", boolean_true, to_string(Requires_MFA) = "0", boolean_false, lowercase(to_string(Requires_MFA)) = "true", boolean_true, lowercase(to_string(Requires_MFA)) = "false", boolean_false),
is_password_change_required = if(to_string(Required_Password_Change) = "1", boolean_true, to_string(Required_Password_Change) = "0", boolean_false, lowercase(to_string(Required_Password_Change)) = "true", boolean_true, lowercase(to_string(Required_Password_Change)) = "false", boolean_false),
is_sign_on_successful = if(to_string(Successful) = "1", boolean_true, to_string(Successful) = "0", boolean_false, lowercase(to_string(Successful)) = "true", boolean_true, lowercase(to_string(Successful)) = "false", boolean_false),
mfa_authentication_type_id = Multi_Factor_Authentication_Type_Reference -> ID,
os = lowercase(Operating_System),
saml_identity_provider_id = SAML_Identity_Provider_Reference -> ID,
src_ipv4 = if(Signon_IP_Address ~= "\.", Signon_IP_Address),
src_ipv6 = if(Signon_IP_Address ~= ":", Signon_IP_Address),
event_labels = arraycreate(sigon_successful_label, account_disabled_or_expired_label, device_trusted_label, failed_signon_label, invalid_credentials_label, invalid_auth_channel_label, invalid_auth_policy_label, mfa_required_label, mfa_has_grace_label, mfa_auth_exempt_label, mfa_enrollment_label, password_change_required_label, password_reset_label, password_changed_label, read_only_label)
| alter
// map fields
xdm.auth.auth_method = Authentication_Type,
xdm.auth.is_mfa_needed = is_mfa_needed,
xdm.auth.mfa.method = mfa_authentication_type_id,
xdm.auth.mfa.provider = if(to_string(MFA_Enrollment) = "1", saml_identity_provider_id, lowercase(to_string(MFA_Enrollment)) = "true", saml_identity_provider_id),
xdm.event.type = if(is_sign_on_successful, "Successful Signon", is_sign_on_successful = false, "Signon Failure", "Signon"),
xdm.event.description = arraystring(event_labels, " "),
xdm.event.outcome = if(is_sign_on_successful, XDM_CONST.OUTCOME_SUCCESS, is_sign_on_successful = boolean_false, XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_UNKNOWN),
xdm.event.outcome_reason = Authentication_Failure_Message,
xdm.logon.type = Authentication_Channel,
xdm.network.session_id = Short_Session_ID,
xdm.network.tls.protocol_version = TLS_Version,
xdm.observer.unique_identifier = API_Client_ID,
xdm.source.host.device_id = device_type_reference_id,
xdm.source.host.os = Operating_System,
xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, Operating_System),
xdm.source.ipv4 = src_ipv4,
xdm.source.ipv6 = src_ipv6,
xdm.source.user_agent = Browser_Type,
xdm.source.user.is_disabled = is_account_disabled,
xdm.source.user.is_password_expired = is_password_change_required,
xdm.source.user.username = to_string(User_Name),
xdm.source.zone = Location;
Schema
workday_activity_raw
| Field |
Type |
Array? |
activityAction |
string |
— |
deviceType |
string |
— |
ipAddress |
string |
— |
requestTime |
datetime |
— |
sessionId |
string |
— |
systemAccount |
string |
— |
target |
string |
— |
taskDisplayName |
string |
— |
taskId |
string |
— |
userAgent |
string |
— |
workday_signon_raw
| Field |
Type |
Array? |
Account_Disabled_or_Expired |
string |
— |
Device_is_Trusted |
string |
— |
Failed_Signon |
string |
— |
Forgotten_Password_Reset_Request |
string |
— |
Has_Grace_Period_for_MFA |
string |
— |
Invalid_Credentials |
string |
— |
Invalid_for_Authentication_Channel |
string |
— |
Invalid_for_Authentication_Policy |
string |
— |
MFA_Authentication_Exempt |
string |
— |
MFA_Enrollment |
string |
— |
Password_Changed |
string |
— |
Required_Password_Change |
string |
— |
Requires_MFA |
string |
— |
Successful |
string |
— |
Tenant_Access_Read_Only |
string |
— |
access_restriction_reference |
string |
— |
api_client_id |
string |
— |
authentication_channel |
string |
— |
authentication_failure_message |
string |
— |
authentication_type |
string |
— |
browser_type |
string |
— |
device_type_reference |
string |
— |
location |
string |
— |
multi_factor_authentication_type_reference |
string |
— |
operating_system |
string |
— |
saml_identity_provider_reference |
string |
— |
short_session_id |
string |
— |
signoff_datetime |
datetime |
— |
signon_datetime |
datetime |
— |
signon_ip_address |
string |
— |
tls_version |
string |
— |
user_name |
string |
— |
Raw JSON
{
"workday_activity_raw": {
"systemAccount": {
"type": "string",
"is_array": false
},
"activityAction": {
"type": "string",
"is_array": false
},
"userAgent": {
"type": "string",
"is_array": false
},
"taskId": {
"type": "string",
"is_array": false
},
"deviceType": {
"type": "string",
"is_array": false
},
"ipAddress": {
"type": "string",
"is_array": false
},
"sessionId": {
"type": "string",
"is_array": false
},
"taskDisplayName": {
"type": "string",
"is_array": false
},
"target": {
"type": "string",
"is_array": false
},
"requestTime": {
"type": "datetime",
"is_array": false
}
},
"workday_signon_raw": {
"access_restriction_reference": {
"type": "string",
"is_array": false
},
"Account_Disabled_or_Expired": {
"type": "string",
"is_array": false
},
"api_client_id": {
"type": "string",
"is_array": false
},
"authentication_channel": {
"type": "string",
"is_array": false
},
"authentication_failure_message": {
"type": "string",
"is_array": false
},
"authentication_type": {
"type": "string",
"is_array": false
},
"browser_type": {
"type": "string",
"is_array": false
},
"Device_is_Trusted": {
"type": "string",
"is_array": false
},
"device_type_reference": {
"type": "string",
"is_array": false
},
"Failed_Signon": {
"type": "string",
"is_array": false
},
"Forgotten_Password_Reset_Request": {
"type": "string",
"is_array": false
},
"Has_Grace_Period_for_MFA": {
"type": "string",
"is_array": false
},
"Invalid_for_Authentication_Channel": {
"type": "string",
"is_array": false
},
"Invalid_for_Authentication_Policy": {
"type": "string",
"is_array": false
},
"Invalid_Credentials": {
"type": "string",
"is_array": false
},
"location": {
"type": "string",
"is_array": false
},
"MFA_Enrollment": {
"type": "string",
"is_array": false
},
"MFA_Authentication_Exempt": {
"type": "string",
"is_array": false
},
"multi_factor_authentication_type_reference": {
"type": "string",
"is_array": false
},
"operating_system": {
"type": "string",
"is_array": false
},
"Password_Changed": {
"type": "string",
"is_array": false
},
"Required_Password_Change": {
"type": "string",
"is_array": false
},
"Requires_MFA": {
"type": "string",
"is_array": false
},
"saml_identity_provider_reference": {
"type": "string",
"is_array": false
},
"short_session_id": {
"type": "string",
"is_array": false
},
"signon_datetime": {
"type": "datetime",
"is_array": false
},
"signoff_datetime": {
"type": "datetime",
"is_array": false
},
"signon_ip_address": {
"type": "string",
"is_array": false
},
"Successful": {
"type": "string",
"is_array": false
},
"Tenant_Access_Read_Only": {
"type": "string",
"is_array": false
},
"tls_version": {
"type": "string",
"is_array": false
},
"user_name": {
"type": "string",
"is_array": false
}
}
}