---
title: Workday new mobile device added to user account
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Workday new mobile device added to user
  account
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Workday new mobile device added to user account
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a user registers an Android or iOS device within their Workday account for mobile access. Generates a higher-priority signal when registration occurs from a client IP address that threat intelligence classifies as malicious.

## Technical Context{% #technical-context %}

Workday mobile enrollment ties a physical device to an employee identity. Attackers who obtain credentials may add a device they control to receive push notifications, approve actions, or maintain persistent access after password rotation.

## Triage and Response{% #triage-and-response %}

1. Ask the user through an established channel whether they enrolled a new phone or tablet for Workday around the event time.
1. Review client IP, geolocation, and user agent; compare to the user's typical mobile carrier and home or office locations.
1. Check for correlated high-risk events (password reset, MFA change, contact or payroll updates, unusual report activity) in the same session or day.
1. Declare an incident if the new device enrollment cannot be confirmed as legitimate.
