Collect Microsoft LAPS logs
Supported in:
This document explains how to ingest Microsoft Windows LAPS (Local Administrator Password Solution) logs to Google Security Operations using the Bindplane agent.
Windows LAPS manages local administrator account passwords on domain-joined devices and generates event log entries for password rotation, policy processing, and management operations. The parser extracts fields from Windows Event Log XML format and maps them to the Unified Data Model (UDM).
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later with the Bindplane agent installed
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Windows LAPS configured and deployed in your environment
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
-
Save the file securely on the system where the Bindplane agent will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
-
Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
- Open Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet -
Wait for the installation to complete.
-
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Additional installation resources
For additional installation options and troubleshooting, see the Bindplane agent installation guide .
Configure the Bindplane agent to ingest Windows Event Log and send to Google SecOps
Locate the configuration file
-
Use the following syntax to locate the configuration file:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
-
Replace the entire contents of
config.yamlwith the following configuration:receivers : windowseventlog/laps_operational : channel : Microsoft-Windows-LAPS/Operational max_reads : 100 poll_interval : 5s raw : true start_at : end processors : batch : exporters : chronicle/laps : creds_file_path : 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json' customer_id : '<customer_id>' endpoint : malachiteingestion-pa.googleapis.com log_type : WINDOWS_LAPS override_log_type : false raw_log_field : body service : pipelines : logs/laps : receivers : - windowseventlog/laps_operational processors : [ batch ] exporters : [ chronicle/laps ]
Configuration parameters
Replace the following placeholders:
-
Receiver configuration:
-
channel: Windows Event Log channel to read from (Microsoft-Windows-LAPS/Operational) -
max_reads: Maximum number of log entries to read per poll cycle -
poll_interval: How frequently to poll for new events -
start_at: Where to begin reading (endfor new events only)
-
-
Exporter configuration:
-
creds_file_path: Full path to ingestion authentication file (C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json) -
customer_id: Customer ID copied from the Google SecOps console -
endpoint: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
-
Save the configuration file
Click File > Save.
Restart the Bindplane agent to apply the changes
-
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector -
Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
-
Right-click and select Restart.
-
Verify the service is running:
sc query observiq-otel-collector -
Check logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Press
Configure Microsoft Windows LAPS
- Type
eventvwr.mscat an elevated command promptand press ENTER to open Event Viewer. - Go to Applications and Services Logs > Microsoft > Windows > LAPS.
- Expand LAPS.
- Right-click LAPS, and then click Properties.
- Select the Enable loggingcheckbox.
- Click OKwhen asked if the log is enabled.
- Click OK.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
Channel
|
read_only_udm.additional.fields.key | Value is taken from the Channel
field in the raw log and assigned to the key
field. |
|
Channel
|
read_only_udm.additional.fields.value.string_value | Value is taken from the Channel
field in the raw log and assigned to the string_value
field. |
|
Computer
|
read_only_udm.principal.hostname | Value is taken from the Computer
field in the raw log. |
|
Computer
|
read_only_udm.principal.asset.hostname | Value is taken from the Computer
field in the raw log. |
|
EventData.%1
|
read_only_udm.additional.fields.value.string_value | Value is taken from the EventData.%1
field in the raw log and assigned to the string_value
field. |
|
EventId
|
read_only_udm.metadata.product_event_type | Value is taken from the EventId
field in the raw log. |
|
EventId
|
read_only_udm.security_result.rule_name | Value is taken from the EventId
field in the raw log and appended to EventID:
. |
|
EventRecordID
|
read_only_udm.metadata.product_log_id | Value is taken from the EventRecordID
field in the raw log. |
|
Keywords
|
read_only_udm.additional.fields.key | Value is taken from the Keywords
field in the raw log and assigned to the key
field. |
|
Keywords
|
read_only_udm.additional.fields.value.string_value | Value is taken from the Keywords
field in the raw log and assigned to the string_value
field. |
|
Level
|
read_only_udm.security_result.severity | Value is taken from the Level
field in the raw log and mapped to: INFORMATIONAL
for INFO
, Informational
, Information
, Normal
, NOTICE
; ERROR
for ERROR
, Error
; CRITICAL
for Critical
. |
|
Opcode
|
read_only_udm.additional.fields.key | Value is taken from the Opcode
field in the raw log and assigned to the key
field. |
|
Opcode
|
read_only_udm.additional.fields.value.string_value | Value is taken from the Opcode
field in the raw log and assigned to the string_value
field. |
|
ProcessID
|
read_only_udm.principal.process.pid | Value is taken from the ProcessID
field in the raw log. |
|
ProviderName
|
read_only_udm.metadata.product_name | Value is taken from the ProviderName
field in the raw log. |
|
Task
|
read_only_udm.additional.fields.key | Value is taken from the Task
field in the raw log and assigned to the key
field. |
|
Task
|
read_only_udm.additional.fields.value.string_value | Value is taken from the Task
field in the raw log and assigned to the string_value
field. |
|
ThreadID
|
read_only_udm.additional.fields.key | Value is taken from the ThreadID
field in the raw log and assigned to the key
field. |
|
ThreadID
|
read_only_udm.additional.fields.value.string_value | Value is taken from the ThreadID
field in the raw log and assigned to the string_value
field. |
|
TimeCreated
|
read_only_udm.metadata.event_timestamp | Value is taken from the TimeCreated
field in the raw log, parsed as UNIX_MS timestamp. |
|
TimeCreated
|
events.timestamp | Value is taken from the TimeCreated
field in the raw log, parsed as UNIX_MS timestamp. |
|
Version
|
read_only_udm.additional.fields.key | Value is taken from the Version
field in the raw log and assigned to the key
field. |
|
Version
|
read_only_udm.additional.fields.value.string_value | Value is taken from the Version
field in the raw log and assigned to the string_value
field. |
| |
read_only_udm.additional.fields.key | Assigned the value EventData_P1
. |
| |
read_only_udm.metadata.event_type | Conditionally assigned STATUS_UNCATEGORIZED
if EventId is 7
or 2
, else GENERIC_EVENT
. |
| |
read_only_udm.metadata.vendor_name | Assigned the value Microsoft
. |
Need more help? Get answers from Community members and Google SecOps professionals.
