Skip to main content

I'm looking to set up ingestion so that user activity logs / audit logs from Workday are ingested into SecOps SIEM.

The documentation on the SecOps site is proving vague and somewhat contradictory. Workday is supported as an `API` (Third Party API) source type for ingestion, and the documentation is clear that this will enable ingestion of Workday entity context (`WORKDAY` log type).

However, I can't find a definitive answer for if we can ingest Workday audit logs (`WORKDAY_AUDIT`) or Workday user activity logs (`WORKDAY_USER_ACTIVITY`) via API, or if we will have to set up an ingestion mechanism. The Feed Management API documentation seems to suggest that it is supported but without a default parser, which contradicts Supported log types and default parsers which shows that there is a default parser. Additionally, the section of the Feed Management API documentation for Workday shows that it only hits API endpoints related to user entities, not activity logs.

Does anyone have Workday audit/activity logs being ingested as a Third Party API source, or has attempted this and found it doesn't work?

 

Hi effytw,


I haven't tested myself but I do think it's possible to ingest WORKDAY_AUDIT and WORKDAY_USER_ACTIVITY logs and have that data utilize the default parsers respectively. You might open a support case to have the Feed Management API doc corrected because WORKDAY_AUDIT does appear to now have a default parser. I think for the WORKDAY_AUDIT and WORKDAY_USER_ACTIVITY you will have to configure an ingestion mechanism like you suspected.


https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers


Hope this helps.

@effytw We do support WORKDAY logs through the third-party API. The WORKDAY_AUDIT and WORKDAY_USER_ACTIVITY would have to be ingested through a different source type such as Google Cloud Storage, Pub/Sub, Azure Blob Storage, Amazon S3, etc... I've provided a screenshot below showing the two log types show up using a different source type (Google Cloud Storage) other than Third-party API. So just to summarize, WORKDAY events can go through the third-party API, WORKDAY_AUDIT and WORKDAY_USER_ACTIVITY have to be ingested through a different source type (Google Cloud Storage for example).



 


 

@effytw We do support WORKDAY logs through the third-party API. The WORKDAY_AUDIT and WORKDAY_USER_ACTIVITY would have to be ingested through a different source type such as Google Cloud Storage, Pub/Sub, Azure Blob Storage, Amazon S3, etc... I've provided a screenshot below showing the two log types show up using a different source type (Google Cloud Storage) other than Third-party API. So just to summarize, WORKDAY events can go through the third-party API, WORKDAY_AUDIT and WORKDAY_USER_ACTIVITY have to be ingested through a different source type (Google Cloud Storage for example).



 


 


One other note, they all have a default parser.



 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.