Splunk content such as dashboards and detections use the data models provided by the Common Information Model as a normalization layer. Many Splunk premium solutions such as Splunk Enterprise Security or Splunk IT Service Intelligence (ITSI) and security content repositories such as research.splunk.com and Splunk Security Essentials (SSE) use these data models. Additionally, popular Splunkbase apps such as the Infosec App also use CIM data models.

OCSF (Open Cybersecurity Schema Framework) is a new initiative for data normalization in cybersecurity due to which security content based on CIM data models must include OCSF-formatting, a capability that is provided by this add-on. The OCSF CIM add-on provides search-time knowledge objects to map OCSF events to the CIM and makes them compliant.