The data models that are used by Splunk Enterprise Security are the ones that are defined and provided by the Common Information Model add-on (Splunk_SA_CIM) and the Enterprise Security-specific data models. The Common Information Model add-on contains 12 data models that cover various domains of security data, such as Web, Authentication, Network Traffic, Change, DLP, Email, Endpoint, Intrusion Detection, Malware, Performance, Ticket Management, and Vulnerabilities1. The Enterprise Security-specific data models are Anomalies, Audit, Business Context, Data Loss Prevention, Identity Management, Risk, Threat Intelligence, and Web Proxy2. Therefore, the data models that are used by ES are Web, Authentication, Network Traffic, and Anomalies, among others. References = 1: Overview of the Splunk Common Information Model - Splunk Documentation - Data models included with the Splunk Common Information Model Add-on. 2: Data models in Splunk Enterprise Security - Splunk Documentation - Enterprise Security-specific data models.