---
title: Workday new API client created
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Workday new API client created
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Workday new API client created
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a new API client is registered in Workday.

## Technical Context{% #technical-context %}

Workday is a Human Resources Information System. API clients in Workday can be used to programmatically access sensitive HR data and perform administrative functions.

If a threat actor gains the ability to create API clients, they could establish persistent access to HR systems and potentially extract sensitive employee information or modify HR data.

Creating API clients should be a rare administrative action performed only by authorized personnel.

Any API client creation outside of expected HR operations warrants investigation.

## Triage and Response{% #triage-and-response %}

1. Check whether the user (`{{@usr.email}}`) is a member of the HR team or has legitimate business justification for creating API clients.
1. Review the IP addresses and user agents for relevant threat intelligence or suspicious characteristics. Check whether the IP addresses have historically been used for legitimate activity.
1. Look at recent and historical Workday activity by the user (`{{@usr.email}}`) for any abnormal patterns of behavior.
1. Reach out to HR to validate whether the API client creation was expected and authorized.
1. If the nature of the activity is suspicious and requires further investigation, declare an incident.
