The SSE docs https://docs.splunksecurityessentials.com/data-onboarding-guides/windows-security-logs/ don't mention AD data. How should these be indexed?
For security use cases, the most important data source is Windows Security Logs from the Active Directory Domain Controllers. The guide you linked (or found in the app) will absolutely cover those logs.
The second most significant data source is Active Directory itself, via admon. That is documented here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorActiveDirectory
The third data source that we often see from domain controllers is DNS and DHCP data, if your domain controller is serving as a DNS server for external resolution, or serving as a DHCP server for production use cases. For those, we recommend pulling in data via Splunk Stream. We have docs in SSE for pulling in DNS, and you can configure DHCP the same way:
https://docs.splunksecurityessentials.com/data-onboarding-guides/stream-dns/
There are of course also official docs for Stream:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/AboutSplunkAppforStream
Hopefully that helps!
Per this: https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Upgrade
It talks about using msad, wineventlog, perfmon, winevents, and windows indexes.
Prior to me seeing the SSE on boarding a few weeks ago, I was unaware of using oswin, oswinsec, and oswinscript indexes. I am going through and updating my TA_windows to make use of these. The question though, is do I leave all the admon stanzas to point to msad ?
The indexes that are included in SSE were provided to me by Splunk PS, so generally speaking you should use the SSE versions.
Summoning @rfaircloth_splunk in case he has other opinions.
I generally use "appmsadmon" as the admon index