---
title: Workday new integration system user created
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Workday new integration system user
  created
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Workday new integration system user created
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a user creates a new Workday integration system user, which is an account type used for programmatic API access to the tenant.

## Technical Context{% #technical-context %}

Workday is a Human Resources Information System. Integration system users authenticate integrations that read or write HR, payroll, and benefits data at scale. A malicious or over-privileged integration can exfiltrate data or automate payroll changes.

Creation of integration system users should be infrequent, change-controlled, and limited to administrators or integration owners who document the consumer system and least-privilege security domain.

## Triage and Response{% #triage-and-response %}

1. Confirm whether the user is on the team that owns Workday integrations or tenant administration.
1. Locate the corresponding change ticket for the integration, owning application, and approved security domain for the new user.
1. Review client IP, geolocation, and user agent for the session; compare to prior administrative sign-ins for the same account.
1. Inspect the new integration system user's name, security groups, and scoped integrations to ensure least privilege.
1. If creation was not expected or documentation is missing, disable the integration user pending review and declare an incident when appropriate.
