---
title: Workday employee payment elections changed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Workday employee payment elections
  changed
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Workday employee payment elections changed
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a user adds or manages payment elections in Workday. Generates a higher-priority signal when the activity originates from a client IP address that threat intelligence classifies as suspicious.

## Technical Context{% #technical-context %}

Payment elections control how and where pay is disbursed. The Workday logs `Add Payment Elections` and `Manage Payment Elections` are high impact because they can redirect salary or reimbursements.

## Triage and Response{% #triage-and-response %}

1. Review the client IP, geolocation, and user agent; correlate them with other Workday or IdP sessions for the same user in the same window.
1. Verify with the user that they initiated the bank account change.
1. Inspect related Workday activity (contact changes, other bank account updates, report exports) for the impacted employee and for the initiating user.
1. Coordinate with your HR team if you need technical assistance.
1. If suspicious activity is confirmed, consider freezing the affected accounts and declaring an incident.
