Hello, 

Thank you for taking the time to consider my question. I'm currently working on getting the InfoSec App (https://splunkbase.splunk.com/app/4240/) integrated via Common Information Model with active directory logs that are obtained either through the Splunk Supporting Add on for Active Directory, or the Splunk Add on for Microsoft Windows. 

There doesn't seem to be any real good documentation for this process for beginners, even though this is likely a very easy integration for Splunk Admins given how many use cases there are for it and the prevalence of AD in large organizations. 

My question is how do people normally ingest data from AD through an inputs.conf (please link documentation of an example inputs.conf file that does this, if it exists, I can't find one) And some best practices for indexes that are supported for mapping AD auth data to CIM by default. I'm not trying to do anything special here, it just seems like this should have tutorials all over the place and nobody has taken the time to really explain the process of this from start to finish, which is extremely frustrating for people trying to teach this to themselves without expensive Splunk ondemand support having to walk you through it. 

Any help regarding this would be greatly appreciated. For context I have already installed both Supporting Add ons for MSFT and AD on the indexer/search head, and installed the Splunk TA for windows on the actual AD host, where I'm assuming I need to use some sort of admon configuration to monitor active directory, but it's unclear what index I should be sending them to, and how that index should be configured on the search head.