---
title: Workday employee contact information changed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Workday employee contact information
  changed
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Workday employee contact information changed
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a user changes employee contact information in Workday. Generates a higher-priority signal when the change originates from a client IP address that threat intelligence classifies as suspicious.

## Technical Context{% #technical-context %}

Workday stores phone numbers, email addresses, and other contact details used for authentication notices, password recovery, and HR communications. Unauthorized updates to contact fields can be related to account takeover.

This detection groups activity by the acting user and evaluates `Change Contact Information` audit events.

## Triage and Response{% #triage-and-response %}

1. Review the client IP, geolocation, and user agent; correlate them with other Workday or IdP sessions for the same user in the same window.
1. Verify with the user that they initiated the contact information change.
1. Inspect related Workday activity (bank account updates, report exports, or other actions) for the impacted employee.
1. Coordinate with your HR team if you need technical assistance.
1. If suspicious activity is confirmed, consider freezing the affected accounts and declaring an incident.
