I obviously have the Active Directory Add-On installed, however when configuring the obvious questions looms, what is the best practice to get it talking to your Active Directory environment (behind firewalls, internal etc.)
Or is it easier to simply forward AD logs and create searches from those events?
Thanks
if the add-on is your concern,
https://splunkbase.splunk.com/app/3207/
install on the forwarder (and on splunk cloud instance, it has indexes.conf in it) that sits on AD, enable admon and other related inputs.
resstart forwarded
see the data in splunk cloud
hope it helps
are you referring to the add-on:
https://splunkbase.splunk.com/app/3207/
or the SA?
https://splunkbase.splunk.com/app/1151/
The Splunk Add-on for Microsoft Active Directory