Say a security vendor offers DLP (Data Leak Prevention) and Application Control (Next Generation Firewall analysis of actual network applications instead of just port and protocol). Where in the Common Information Model would that information go?
Other security pieces have clear homes - Web Filtering fits inside of "Web", network traffic has a section, DNS and DHCP are known, and Intrusion Detection also is specified.
This question is not a straight forward one to answer - as it strongly depends on what you want to achieve with your analysis.
For the DLP - this could as well fit into the Intrusion Detection, Network Traffic, Authentication, .... models, depending on the actual information in your logs. Same goes for Application Control, which could be Application State, Network Traffic, ...
If you can't fit your logs into one exact model (which rarely is the case up to my experience), you should direct your data into multiple data models by assigning several eventtypes to your events, according to the information they contain. This will enable you to cover all aspects of your event data.