when enabling the [admon://default]inputs stanza, you will collect AD data to splunk.
when enabling the [WinEventLog://Security] inputs stanza, you will collect the security logs
these stanzas are in the inputs.conf file in the TA's (AD and windows)
windows: https://splunkbase.splunk.com/app/742/
AD: https://splunkbase.splunk.com/app/3207/
place these apps on forwarders to collect data, on indexers to create the correct indexes for logs, and on search heads for search time field extractions and knowledge objects.
now when you have all the data you need, create searches. here is a small sample search that will return created accounts in AD:
sourcetype=WinEventLog:Security object_category="user" msad_action="created"
| eval CreatedBy = mvindex(Security_ID,0)
| table _time user CreatedBy ComputerName
... View more