receivers:windowseventlog/laps_operational:channel:Microsoft-Windows-LAPS/Operationalmax_reads:100poll_interval:5sraw:truestart_at:endprocessors:batch:exporters:chronicle/laps:# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationlog_type:'WINDOWS_LAPS'override_log_type:falseraw_log_field:bodyservice:pipelines:logs/laps:receivers:-windowseventlog/laps_operationalprocessors:[batch]exporters:[chronicle/laps]
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Collect Microsoft LAPS logs\n===========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest the Microsoft LAPS (Local Administrator Password Solution) logs to Google Security Operations using Bindplane. The parser first extracts JSON formatted data from the `message` field and then further parses the `EventData` field within the extracted JSON. It then maps the extracted fields to the Unified Data Model (UDM) schema, categorizes the event type based on the `EventId`, and finally merges all the processed data into the output event.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance\n- if running behind a proxy, firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open\n- Privileged access to a Microsoft Windows Server with LAPS\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Additional installation resources\n\nFor additional installation options, consult the [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n - Locate the `config.yaml` file. Typically, it's in the installation directory on Windows.\n - Open the file using a text editor (for example, Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n windowseventlog/laps_operational:\n channel: Microsoft-Windows-LAPS/Operational\n max_reads: 100\n poll_interval: 5s\n raw: true\n start_at: end\n\n processors:\n batch:\n\n exporters:\n chronicle/laps:\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n log_type: 'WINDOWS_LAPS'\n override_log_type: false\n raw_log_field: body\n\n service:\n pipelines:\n logs/laps:\n receivers:\n - windowseventlog/laps_operational\n processors: [batch]\n exporters: [chronicle/laps]\n\n3. Replace `\u003ccustomer_id\u003e` with the actual Customer ID.\n\n4. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/microsoft-laps#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Microsoft Windows LAPS\n--------------------------------\n\n1. Type `eventvwr.msc` at an elevated **command prompt** and press ENTER to open **Event Viewer**.\n2. Go to **Applications and Services Logs \\\u003e Microsoft \\\u003e Windows \\\u003e LAPS**.\n3. Expand **LAPS**.\n4. Right-click **LAPS** , and then click **Properties**.\n5. Select the **Enable logging** checkbox.\n6. Click **OK** when asked if the log is enabled.\n7. Click **OK**.\n\nUDM mapping table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
