---
title: Workday sensitive custom report generated
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Workday sensitive custom report
  generated
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Workday sensitive custom report generated
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1567-exfiltration-over-web-service](https://attack.mitre.org/techniques/T1567) 
## Goal{% #goal %}

Detect users generating Workday reports that include sensitive data, which may indicate reconnaissance activity or potential data exfiltration attempts.

## Technical Context{% #technical-context %}

Workday is a Human Resources Information System containing sensitive employee and organizational data. This rule monitors the execution of custom reports to identify users who access data related to payments, elections, or a large export of employee records. Such behavior could indicate attackers using stolen credentials to systematically gather intelligence on employees.

## Triage and Response{% #triage-and-response %}

1. Check if the user has a legitimate business role requiring access to multiple reports (such as HR analysts, auditors, or managers during review cycles).
1. Review the specific reports accessed to understand the scope and sensitivity of data involved. Look for patterns that suggest systematic data collection.
1. Examine the IP addresses, user agents, and timing patterns for signs of automated or suspicious access patterns.
1. Compare this activity to the user's historical report generation patterns to identify deviations from normal behavior.
1. Look for correlated suspicious activity across other data sources for the same user, including unusual file downloads, database queries, or email patterns.
1. For users in legitimate roles, reach out to their manager or the HR and payroll team to validate whether bulk report generation aligns with current business activities (such as performance reviews, audits, or compliance reporting).
1. If the activity cannot be justified by legitimate business needs or shows signs of malicious intent, declare an incident.
