[workday][activity] Add Activity datastream

.github/CODEOWNERS

@@ -599,6 +599,7 @@
 /packages/withsecure_elements @elastic/security-service-integrations @elastic/sit-crest-contractors
 /packages/wiz @elastic/security-service-integrations @elastic/sit-crest-contractors
 /packages/wmi @elastic/obs-infraobs-integrations
+/packages/workday @elastic/security-service-integrations
 /packages/zeek @elastic/integration-experience
 /packages/zerofox @elastic/security-service-integrations @elastic/sit-crest-contractors
 /packages/zeronetworks @elastic/security-service-integrations @elastic/sit-crest-contractors

packages/workday/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v9.3.0

packages/workday/_dev/build/docs/README.md

@@ -0,0 +1,159 @@
+# Workday
+
+## Overview
+
+[Workday](https://www.workday.com/en-in/homepage.html) is a cloud-based ERP system that manages business processes and allows organizations to use an integrated application. Workday is a coherent cloud ERP system for financial analysis, analytical solutions, HCM suites, and better business processes.
+
+The Workday integration for Elastic collects `Activity Logs` via **API** and visualizes them in Kibana.
+
+### Compatibility
+
+The Workday integration is compatible with API version **v1**.
+
+### How it works
+
+This integration periodically queries the Workday API to retrieve logs.
+
+## What data does this integration collect?
+
+This integration collects log messages of the following type:
+
+- `Activity`: Collects [Activity Logs](https://community.workday.com/sites/default/files/file-hosting/restapi/#privacy/v1/get-/activityLogging) logs via Workday API (endpoint: `/activityLogging`).
+
+### Supported use cases
+
+Integrating Workday with Elastic gives security and IT teams centralized visibility into **Workday activity logging**, so you can monitor configuration and usage changes, support audits, and investigate suspicious behavior from Kibana.
+
+The **Activity** dashboard summarizes key patterns such as **activity volume over time** and **top actors**, helping you spot unusual spikes and focus on the users and operations that matter.
+
+Built-in filters make it easier to narrow events by attributes such as **task**, **system account**, and **IP address**, which supports faster triage and a more consistent investigation workflow across your Workday telemetry.
+
+## What do I need to use this integration?
+
+### From Workday
+
+#### Collect Workday API credentials
+
+##### Enable User Activity Logging
+
+1. Sign in to your Workday tenant as a Security Administrator.
+2. In the Workday search bar, search for and open the Edit Tenant Setup - System task.
+3. In the Security section, select the Enable User Activity Logging checkbox.
+4. Click OK to save the changes.
+
+**Note:** Once enabled, Workday records all user activity in a secure tenant database. Activity logging must be enabled before any logs are available for export.
+
+#### Create Integration System User (ISU)
+
+1. In the Workday search bar, search for Create Integration System User.
+2. Enter a User Name (for example, ISU_SIEM_Export) and a strong Password.
+3. Clear the Require New Password at Next Sign In checkbox.
+4. Click OK.
+5. Search for Create Security Group and create an Integration System Security Group (Unconstrained).
+6. Add the ISU (ISU_SIEM_Export) to this security group.
+7. Search for View Domain and locate the User Activity Logging domain. Grant Get access to the ISU security group for this domain.
+8. Search for Activate Pending Security Policy Changes and activate the changes.
+
+#### Register API client for OAuth
+
+1. In the Workday search bar, search for Register API Client for Integrations.
+2. Enter a Client Name (for example, SIEM_OAuth_Client).
+3. Select the Non-Expiring Refresh Tokens option.
+4. Add the scope: System (or the scope required for User Activity Logging API).
+5. Click OK.
+6. Copy and save the following details in a secure location:
+   - Client ID: The API client identifier.
+   - Client Secret: The API client secret.
+7. Search for Manage Refresh Tokens for Integrations.
+8. Select the ISU account (ISU_SIEM_Export).
+9. Generate a new refresh token for the API client.
+10. Copy and save the Refresh Token.
+
+#### Determine tenant URL
+
+The API endpoint is based on your Workday tenant. The format is:
+
+Component   | Value
+
+Token endpoint | https://HOST/ccx/oauth2/TENANT/token
+
+Activity Logging API |	https://HOST/ccx/api/privacy/v1/TENANT/activityLogging
+
+**Note:** Replace HOST with your Workday hostname and TENANT with your tenant name.
+
+**Note:** For additional Workday API security context, see [Generating API Keys for the Workday API](https://workday.my.site.com/customercenter/article?no=000013105&redirect=false).
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+### Configure the integration
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Workday**.
+3. Select the **Workday** integration from the search results.
+4. Select **Add Workday** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect Workday logs via API**, you'll need to:
+
+        - Configure **Hostname**.
+        - Configure **Tenant**.
+        - Configure **Client ID**.
+        - Configure **Client Secret**.
+        - Configure **Refresh Token**.
+        - Adjust the integration configuration parameters if required, including the **Interval**, **Initial Interval**, **Preserve original event** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Workday**.
+3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Activity
+
+{{fields "activity"}}
+
+### Example event
+
+#### Activity
+
+{{event "activity"}}
+
+### Inputs used
+
+These input is used in the integration:
+
+- [CEL](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+### API usage
+
+This integration uses the following Workday API:
+
+**Activity**: [Workday Activity API documentation](https://community.workday.com/sites/default/files/file-hosting/restapi/#privacy/v1/get-/activityLogging).

packages/workday/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,17 @@
+version: '3.0'
+services:
+  workday:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    hostname: workday
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config.yml
+      - --tls-cert=/files/workday.crt
+      - --tls-key=/files/workday.key

packages/workday/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,152 @@
+rules:
+  - path: /ccx/oauth2/tenant/token
+    methods: ['POST']
+    query_params:
+      grant_type: ['refresh_token']
+      refresh_token: ['refresh_token']
+      client_id: ['client_id']
+      client_secret: ['client_secret']
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: application/json
+        body: |
+          {{ minify_json `
+          {
+            "access_token": "xxxx",
+            "token_type": "Bearer",
+            "refresh_token": "refresh_token"
+          }
+          `}}
+  - path: /ccx/api/privacy/v1/tenant/activityLogging
+    methods: ['GET']
+    query_params:
+      offset: ['0']
+      limit: ['2']
+      from: ['{from:.*}']
+      to: ['{to:.*}']
+    request_headers:
+      Authorization:
+        - 'Bearer xxxx'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {{ minify_json `
+          {
+            "total": 5,
+            "data": [
+              {
+                "activityAction": "READ",
+                "taskId": "e67b812850dc100047be196f396d745f",
+                "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36",
+                "requestTime": "2026-04-02T12:46:18.012Z",
+                "taskDisplayName": "privacy/activityLogging/userActivity (GET) (v1 -  )",
+                "systemAccount": "wd-implementer",
+                "deviceType": "Desktop",
+                "ipAddress": "127.0.0.1",
+                "sessionId": "c7c6ff"
+              },
+              {
+                "activityAction": "READ",
+                "systemAccount": "wd-implementer",
+                "requestTime": "2026-04-07T08:02:58.655Z",
+                "taskDisplayName": "Get OMS Session Data (Web Service)",
+                "sessionId": "c91278",
+                "target": {
+                  "descriptor": "wd-implementer / Workday Implementer",
+                  "id": "64700e15a04847f6ac13343b007478e3"
+                },
+                "taskId": "dc1bea8c446c11de98360015c5e6daf6",
+                "ipAddress": "127.0.0.1",
+                "deviceType": "Desktop",
+                "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
+              }
+            ]
+          }
+          `}}
+  - path: /ccx/api/privacy/v1/tenant/activityLogging
+    methods: ['GET']
+    query_params:
+      offset: ['2']
+      limit: ['2']
+      from: ['{from:.*}']
+      to: ['{to:.*}']
+    request_headers:
+      Authorization:
+        - 'Bearer xxxx'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {{ minify_json `
+          {
+            "total": 5,
+            "data": [
+              {
+                "activityAction": "OTHER",
+                "systemAccount": "wd-implementer",
+                "requestTime": "2026-04-07T10:29:14.163Z",
+                "taskDisplayName": "absenceManagement/balances/view (GET) (v1 -  )",
+                "sessionId": "2b6938",
+                "taskId": "842800d7bb0210006a09e472785f010b",
+                "ipAddress": "127.0.0.1",
+                "deviceType": "Desktop",
+                "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0"
+              },
+              {
+                "activityAction": "READ",
+                "systemAccount": "wd-implementer",
+                "requestTime": "2026-04-07T18:34:42.548Z",
+                "taskDisplayName": "Submit OAuth 2.0 Consent (Web Service)",
+                "sessionId": "a5097e",
+                "taskId": "8b086034c8ec49e79b0f13af87e911ea",
+                "ipAddress": "127.0.0.1",
+                "deviceType": "Desktop",
+                "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36"
+              }
+            ]
+          }
+          `}}
+  - path: /ccx/api/privacy/v1/tenant/activityLogging
+    methods: ['GET']
+    query_params:
+      offset: ['4']
+      limit: ['2']
+      from: ['{from:.*}']
+      to: ['{to:.*}']
+    request_headers:
+      Authorization:
+        - 'Bearer xxxx'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {{ minify_json `
+          {
+            "total": 5,
+            "data": [
+              {
+                "activityAction": "READ",
+                "systemAccount": "wd-implementer",
+                "requestTime": "2026-04-07T19:03:29.024Z",
+                "taskDisplayName": "Get OMS Session Data (Web Service)",
+                "sessionId": "6fe14f",
+                "target": {
+                  "descriptor": "wd-implementer / Workday Implementer",
+                  "id": "64700e15a04847f6ac13343b007478e3"
+                },
+                "taskId": "dc1bea8c446c11de98360015c5e6daf6",
+                "ipAddress": "127.0.0.1",
+                "deviceType": "Desktop",
+                "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
+              }
+            ]
+          }
+          `}}

packages/workday/_dev/deploy/docker/files/workday.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUV+67DSMtT/+uSt4qDbY6IDwlJawwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3ZjLXdvcmtkYXkwHhcNMjYwNjAxMTMwODIxWhcNMzYw
+NTI5MTMwODIxWjAWMRQwEgYDVQQDDAtzdmMtd29ya2RheTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKGf75wHU2B9niPdBS+QKuvQwWhtfPJxWtwpBtj6
+hqleBEAD1+fq02u0hflu9rEBxCcXYt8cQzVd0cW4zUvqk+78lwIcv3NelyHcwsEu
+sfAhFXnL08axQVYc3oYzy2dQNnYH7lEGmY8/N31umXeTojPlDji9xTaExQ6Mj83y
+QXQ1DajdHlirw8Qf8cnKPZtW50zyf7MGSTYiLgOvv9pFhwLL8eMKhJo23+c+B7GI
+lGUOzQZV9VfzgQRpDpRnLeKghRwltverMkadxXlVAKlbXuhSDJluo2NCZ3+wBrj4
+IuMX0+IB6o6eZWnnJgPrQ5DN4WJdwjmmMQ7LTyUw3/hXjw0CAwEAAaNrMGkwHQYD
+VR0OBBYEFDla3DE7Dm0f35w6PiMqslosh2HNMB8GA1UdIwQYMBaAFDla3DE7Dm0f
+35w6PiMqslosh2HNMA8GA1UdEwEB/wQFMAMBAf8wFgYDVR0RBA8wDYILc3ZjLXdv
+cmtkYXkwDQYJKoZIhvcNAQELBQADggEBAGb/wSyfnXpK9z7GqKnJ2JA3RkRdudHT
+sy7j0Q0W0Cr6VeVj+paiRwQtMXriNOMzWvJ2cTMRp4l181XMnLvasQTqOASHpM1G
+Ra0eEmITzhdJsiyW585fAL+hyvthzo8f4r/9rm3NwDQdFQt9akGw1nnuFzd2+K/b
+c0GJiVBgNKp3Q1u7MeEQK/kKjzKP5qsB34aJNxWdzKF7rFaRQPtBcGh15zfxpcOJ
+VrEdkgusmHeI8Q4yKPu2Vopaq29dg3iW/FLsXeTAOYeo9KfgSXt3cxMPrrwtJEwG
+nWd6q0A8Ec8udGavtotazOi9g+F16fNTaUVk8bXkoTUezwSe/IfGRw4=
+-----END CERTIFICATE-----

packages/workday/_dev/deploy/docker/files/workday.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChn++cB1NgfZ4j
+3QUvkCrr0MFobXzycVrcKQbY+oapXgRAA9fn6tNrtIX5bvaxAcQnF2LfHEM1XdHF
+uM1L6pPu/JcCHL9zXpch3MLBLrHwIRV5y9PGsUFWHN6GM8tnUDZ2B+5RBpmPPzd9
+bpl3k6Iz5Q44vcU2hMUOjI/N8kF0NQ2o3R5Yq8PEH/HJyj2bVudM8n+zBkk2Ii4D
+r7/aRYcCy/HjCoSaNt/nPgexiJRlDs0GVfVX84EEaQ6UZy3ioIUcJbb3qzJGncV5
+VQCpW17oUgyZbqNjQmd/sAa4+CLjF9PiAeqOnmVp5yYD60OQzeFiXcI5pjEOy08l
+MN/4V48NAgMBAAECggEAH8gKXt0V6Rhqe1Tfyy2HMx22mmlFM4tUuYwbu5jv1+gT
+396hmwoTDs/NtHG8cqwNPT6dA5BUKu9K651eSTpUYp8qtpCemPoVr+PwK/qZpMVs
+qqmI+D4swdklbLBMpAEi5GzE0QwCMCfXKoQQC3JtZ9T3yfKPEBxlf2nmcTHc6xOf
+jXoP91LVMQ7Orn6N23a8GJKnoEFGb9ngY9AxEqru7WmfdScj/xJ6ObnhmlHqHaUY
+BaVfgMiWpKjmZitpH5n1m+SdwsazGEplsuWfNtKNzMcYjZMguKUO1OMOIZQz2SBp
+ULw1gXVehk4hykVf6IZ8h5g3Z9EmVNWq/R0TMiA25QKBgQDUKsVpK3T3NXAVgFCg
+o8caodHaQwgqHPeabiuQeB37xOFxziPFUCoAIu1z9IB+6/2iTMM6ueGbmo0y1n3a
+9NJew0kLUy+0lRJmgArDZ2DSpzfIPZFVQewYU8GFGJ647Bqmez3Omwp/yki79DjJ
+RVd+vH0U4oZzRRTSGC5rUhpmywKBgQDDBAzA2Xy2qxgJof0cwhLMQ9q8x9Zq4XVs
+RwSsjjHr5eIjxgaHOd7rpF6no50uiAqEzEIdKh2/P3nc/fCl9tyv0NJ3fThUfmb1
+bODBCH56jEsrBIZFVaVh3Zs2Tj2dRP5cR6WmwTPet4sGMSqZAg2yIEprHB0tAyR8
+AJe8HpzOhwKBgGdCScHdvJd0EpDkWllUXFrB1vh7F0YnwvoOFHXDgBRAxdg1k4M8
+eLSISzjcDo23HUIYSgwS25J3rbDIY4hlDt2//ZTdb6JbyxDH0HU5ow3jBGsYS9tK
+sjVEzjKQwO8POgk8geBD5OA8+xk+y0Rp0yODaPz5IqaHQJLf4fephd/xAoGATO7G
+ETY7StzISNSMw9GUFN0X5612WwfCiQqjP2eBLiysP6yZWrNry842QS/8jCTC8Yya
+8GJzBcWGz7WmP/LZMMrSnKzbkgmjmGJxb/Vn3/SEmt3YEnYtHiSMXKoVCHv1VHY3
+VUeWrN//ilvPEDmNKZ4vfX3DzMQWmoypT19MQPUCgYEAm/7B0ODsShmrwphl/g4c
+szD4iuwhPc8KoR3HZn1eYsBTxW2nQtklunek155XioYKYCeKNEx4hreZZESAcTs6
+WZOskIskE/Ta0Kcu5QWxyrIhsBHnNx+R/AGXTK33u1E2LbAcvPuahWIso8eYKPj5
+VqdTHeOjkhC/JwjTCbQI82E=
+-----END PRIVATE KEY-----

packages/workday/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: '0.1.0'
+  changes:
+    - description: Add support for activity data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19319