Collect Microsoft LAPS logs
Supported in:
This document explains how to ingest Microsoft Windows LAPS (Local Administrator Password Solution) logs to Google Security Operations using the Bindplane agent.
Windows LAPS manages local administrator account passwords on domain-joined devices and generates event log entries for password rotation, policy processing, and management operations. The parser extracts fields from Windows Event Log XML format and maps them to the Unified Data Model (UDM).
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later with the Bindplane agent installed
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Windows LAPS configured and deployed in your environment
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
Save the file securely on the system where the Bindplane agent will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWait for the installation to complete.
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Additional installation resources
For additional installation options and troubleshooting, see the Bindplane agent installation guide.
Configure the Bindplane agent to ingest Windows Event Log and send to Google SecOps
Locate the configuration file
Use the following syntax to locate the configuration file:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
Replace the entire contents of
config.yamlwith the following configuration:receivers: windowseventlog/laps_operational: channel: Microsoft-Windows-LAPS/Operational max_reads: 100 poll_interval: 5s raw: true start_at: end processors: batch: exporters: chronicle/laps: creds_file_path: 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json' customer_id: '<customer_id>' endpoint: malachiteingestion-pa.googleapis.com log_type: WINDOWS_LAPS override_log_type: false raw_log_field: body service: pipelines: logs/laps: receivers: - windowseventlog/laps_operational processors: [batch] exporters: [chronicle/laps]
Configuration parameters
Replace the following placeholders:
Receiver configuration:
channel: Windows Event Log channel to read from (Microsoft-Windows-LAPS/Operational)max_reads: Maximum number of log entries to read per poll cyclepoll_interval: How frequently to poll for new eventsstart_at: Where to begin reading (endfor new events only)
Exporter configuration:
creds_file_path: Full path to ingestion authentication file (C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json)customer_id: Customer ID copied from the Google SecOps consoleendpoint: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
Save the configuration file
Click File > Save.
Restart the Bindplane agent to apply the changes
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collectorServices console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
Right-click and select Restart.
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Press
Configure Microsoft Windows LAPS
- Type
eventvwr.mscat an elevated command prompt and press ENTER to open Event Viewer. - Go to Applications and Services Logs > Microsoft > Windows > LAPS.
- Expand LAPS.
- Right-click LAPS, and then click Properties.
- Select the Enable logging checkbox.
- Click OK when asked if the log is enabled.
- Click OK.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| Channel | read_only_udm.additional.fields.key | Value is taken from the Channel field in the raw log and assigned to the key field. |
| Channel | read_only_udm.additional.fields.value.string_value | Value is taken from the Channel field in the raw log and assigned to the string_value field. |
| Computer | read_only_udm.principal.hostname | Value is taken from the Computer field in the raw log. |
| Computer | read_only_udm.principal.asset.hostname | Value is taken from the Computer field in the raw log. |
| EventData.%1 | read_only_udm.additional.fields.value.string_value | Value is taken from the EventData.%1 field in the raw log and assigned to the string_value field. |
| EventId | read_only_udm.metadata.product_event_type | Value is taken from the EventId field in the raw log. |
| EventId | read_only_udm.security_result.rule_name | Value is taken from the EventId field in the raw log and appended to EventID:. |
| EventRecordID | read_only_udm.metadata.product_log_id | Value is taken from the EventRecordID field in the raw log. |
| Keywords | read_only_udm.additional.fields.key | Value is taken from the Keywords field in the raw log and assigned to the key field. |
| Keywords | read_only_udm.additional.fields.value.string_value | Value is taken from the Keywords field in the raw log and assigned to the string_value field. |
| Level | read_only_udm.security_result.severity | Value is taken from the Level field in the raw log and mapped to: INFORMATIONAL for INFO, Informational, Information, Normal, NOTICE; ERROR for ERROR, Error; CRITICAL for Critical. |
| Opcode | read_only_udm.additional.fields.key | Value is taken from the Opcode field in the raw log and assigned to the key field. |
| Opcode | read_only_udm.additional.fields.value.string_value | Value is taken from the Opcode field in the raw log and assigned to the string_value field. |
| ProcessID | read_only_udm.principal.process.pid | Value is taken from the ProcessID field in the raw log. |
| ProviderName | read_only_udm.metadata.product_name | Value is taken from the ProviderName field in the raw log. |
| Task | read_only_udm.additional.fields.key | Value is taken from the Task field in the raw log and assigned to the key field. |
| Task | read_only_udm.additional.fields.value.string_value | Value is taken from the Task field in the raw log and assigned to the string_value field. |
| ThreadID | read_only_udm.additional.fields.key | Value is taken from the ThreadID field in the raw log and assigned to the key field. |
| ThreadID | read_only_udm.additional.fields.value.string_value | Value is taken from the ThreadID field in the raw log and assigned to the string_value field. |
| TimeCreated | read_only_udm.metadata.event_timestamp | Value is taken from the TimeCreated field in the raw log, parsed as UNIX_MS timestamp. |
| TimeCreated | events.timestamp | Value is taken from the TimeCreated field in the raw log, parsed as UNIX_MS timestamp. |
| Version | read_only_udm.additional.fields.key | Value is taken from the Version field in the raw log and assigned to the key field. |
| Version | read_only_udm.additional.fields.value.string_value | Value is taken from the Version field in the raw log and assigned to the string_value field. |
| read_only_udm.additional.fields.key | Assigned the value EventData_P1. |
|
| read_only_udm.metadata.event_type | Conditionally assigned STATUS_UNCATEGORIZED if EventId is 7 or 2, else GENERIC_EVENT. |
|
| read_only_udm.metadata.vendor_name | Assigned the value Microsoft. |
Need more help? Get answers from Community members and Google SecOps professionals.