The Vali Cyber ZeroLock Add-on for Splunk provides search-time parsing and normalization for ZeroLock Management Console telemetry. ZeroLock delivers runtime security monitoring at the ESXi and Linux hypervisor layer, generating activity and alert data that this add-on maps to the Splunk Common Information Model. The add-on processes events delivered via HTTP Event Collector under the sourcetype valicyber:zerolock and normalizes them into four CIM data models: Authentication, Malware, Intrusion Detection, and Change. This normalization enables integration with Splunk Enterprise Security and other CIM-aware applications. The add-on does not collect data directly; it processes hypervisor security telemetry already forwarded by the ZeroLock Management Console's built-in Splunk activity forwarder.