I have just been handed the Splunk application for our organization. I've been asked to work with our security team to create some audit ability that can monitor changes to sensitive groups, changes to privileged accounts, changes to GPO's, all servers accessed by specific user in last x days, all changes that a given user has made in AD in x days, etc. We are still defining what we want audited with Splunk, but I just wondered if anyone have a group of security audits already in place that can make some recommendations.
At my previous company, I implemented the https://splunkbase.splunk.com/app/1059/ "splunk app for active directory" . The security team used it daily in monitoring Active Directory and some of the things you referenced. I would start there.
The document they reference, http://aka.ms/bpsadtrd , is thorough, but may be overwhelming. Of particular interest is Appendix L, which provides a list of the event codes to monitor. That should get you started into which EventCodes you can use to build your alerts and dashboards.
We just added SkyFormation into Splunkbase approved apps, you can see it here - https://splunkbase.splunk.com/app/2787/
SkyFormation currently provides you with Discover and governance for your cloud application usage, but we are definitely planning on providing business cloud app policies similar to the ones you mention above.
If your company use business cloud apps such as sales force I'd be happy to learn more about your needs.