From Splunk Wiki
Using AD monitoring in with list lookups to add details to your Windows Event Log data
AD is a great repository for metadata about your IT environment, including user names, email accounts and phone numbers as well as information about hosts and services. Once that data is in Splunk, you can combine it with the listlookup feature to add additional information at search time.
One example is translating SIDs and GUIDs from gibberish to human readable names of objects. If you are using a third party tool to pull logs and it just gives SIDS and GUIDS and you need to look up what they correspond to, you can use the dynamic list lookup feature to translate those IDs into useful data.
How it works
A saved search runs against the ADmon sourcetype and generates the SID and GUID lookup tables that are then used via an entry in props.conf to append dc_name to events coming from the Windows Event logs. You can use this feature to generate lookups for any other data available in your AD instance.
For more information about using list lookups, refer to "Add fields from external data sources" in the Knowlege Manager Manual
For more information about configuring AD auditing, refer to "Audit Active Directory" in the Admin Manual.