Introducing Schema Vault: Metron Security's Breakthrough in AI-Enhanced Security Data

AI-powered cybersecurity is only as strong as its training data. That’s why we built a custom cybersecurity data schema tool. That’s why we’d like to introduce our Schema Vault for AI-Enhanced Security Analytics.

We're excited to announce the launch of Schema Vault, Metron Security's innovative solution for storing curated, high-quality annotations on security event schemas designed specifically for training AI models.

Leveraging Metron Security's experience with hundreds of security and IT Ops platforms, Schema Vault contains dozens of industry-standard schemas, including OCSF, Google's UDM, and Splunk's CIM, with new additions being made weekly by our dedicated team of data annotators. This comprehensive repository captures detailed information about each field in each event type across major security platforms, creating a foundation for advanced AI capabilities.

Schema Vault powers several cutting-edge services, including a natural language query builder that can convert plain English questions like "How do I find Okta users with logins from multiple countries in the last 24 hours" into platform-specific queries for Splunk, Elastic, or KQL.

We're also developing a "SOC Analyst Copilot" that enables security teams to request schema details conversationally. Our team handles the entire implementation pipeline—from document chunking and prompt engineering to deployment and continuous automated testing—allowing clients to seamlessly integrate these AI capabilities into their security operations while maintaining focus on their core mission.

Under the Lens — Amazon

AWS delivers numerous cloud offerings, but managing a comprehensive security strategy that brings visibility and protection across these environments can often be a significant challenge for SecOps teams.

In this month's deep dive, we unpack how AWS's security product suite can alleviate these challenges. Let's explore the key security solutions AWS offers:

1. Amazon GuardDuty
A threat detection service continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior.

• Intelligent Threat Detection service that continuously monitors AWS accounts, workloads, and data for malicious activity and unauthorized behavior.

• Machine Learning-Powered Analysis identifies potential threats by analyzing billions of events across multiple AWS data sources.

• Automated Response capabilities allow for immediate remediation of security findings through integration with AWS Lambda and AWS Step Functions.

• Comprehensive Coverage across EC2 instances, container workloads, S3 buckets, IAM credentials, Kubernetes audit logs, and database activities.

2. Amazon Security Lake
This automatically centralizes security data from AWS environments, SaaS applications, and on-premises sources into a purpose-built data lake.

• Centralized Security Data Lake automatically collects and normalizes security data from AWS environments, on-premises sources, and cloud providers.

• Open-Standard Format (OCSF) enables easier integration with analytics tools and security services from AWS and third-party providers.

• Automated Data Collection from services including AWS CloudTrail, VPC Flow Logs, Route 53, EKS audit logs, and more.

• Unified Security Repository eliminates siloed data stores and creates a single source of truth for security analysis.

3. AWS AppFabric
This service quickly connects and unifies your SaaS applications to streamline security, governance, and compliance across them.

• Application Integration Framework designed specifically for security and productivity applications.

• Streamlined Data Exchange enables the secure sharing of information between SaaS applications for comprehensive visibility.

• Normalized Data Format simplifies cross-application analysis and correlation of security events.

• Identity Federation creates unified user contexts across connected applications for improved security governance.

4. AWS CloudTrail
It provides the event history of your AWS account activity, including actions taken through the AWS Management Console, SDKs, command-line tools, and other AWS services.

• Governance and Compliance service providing comprehensive visibility into user and API activity across AWS accounts.

• Immutable Event History records all actions taken through the AWS Management Console, SDKs, command line tools, and other AWS services.

• Automated Compliance Validation through integration with AWS Config and other compliance tools.

• Lake Queries capability enabling SQL-based investigation of historical activity data to support incident response and forensics.

5. AWS CloudWatch
This monitoring and observability service provides data and actionable insights to monitor your AWS resources, applications, and services in real time.

• Monitoring and Observability service that collects metrics, logs, and events from AWS resources and applications.

• Real-time Alerting for security-relevant events with customizable thresholds and notifications.

• Cross-Service Correlation capabilities to identify security patterns across your AWS infrastructure.

• Security Insights through integration with other AWS security services to contextualize monitoring data.

6. AWS S3 Bucket
This is scalable object storage in the cloud, designed for high durability, availability, and performance.

• Secure Object Storage foundation with multiple layers of access controls and protection mechanisms.

• Access Point Policies provide fine-grained permissions for different application workloads accessing the same bucket.

• Versioning and Lifecycle Management protect against accidental or malicious deletion of critical data.

• Block Public Access settings prevent unintended exposure of sensitive data.

• S3 Macie Integration automatically discovers and protects sensitive data stored in buckets.

7. AWS Security Hub
This service provides a comprehensive view of your security state in AWS and helps you check your security against industry standards and best practices.

• Unified Security and Compliance Center aggregating, organizing, and prioritizing security findings from multiple AWS services and third-party products.

• Automated Security Checks based on industry standards and best practices, including CIS, PCI-DSS, and AWS best practices.

• Cross-Region and Cross-Account Aggregation for enterprise-wide security visibility.

• Integrated Response Workflows enable automated remediation of security issues through custom actions.

Optimizing AWS Security Services Usage

• Use Amazon GuardDuty for continuous threat detection: GuardDuty can monitor AWS accounts, workloads, and data for any malicious activity. It uses machine learning and threat intelligence to detect behaviors like credential compromise or data exfiltration. GuardDuty findings can also trigger automated remediation using AWS Lambda and Step Functions.

• Centralize data with Amazon Security Lake: Automatically collect, normalize, and store security data across AWS and third-party sources. You can also use OCSF to ensure compatibility with SIEMs and analytics tools.

• Integrate SaaS applications with AWS AppFabric: Use AppFabric to connect and standardize event data from security and productivity SaaS tools. Additionally, unified visibility is gained by mapping user identity across applications, improving incident response with correlated activity data.

• Enable AWS CloudTrail for governance and auditing: Track all API activity and user actions across AWS environments. Also, store logs in Amazon S3 for long-term auditing and query historical activity with Lake Queries.

• Monitor resources using Amazon CloudWatch: Collect metrics, logs, and events from AWS infrastructure and custom applications. Other than this, you can also set up real-time alerts for anomalies or security-relevant thresholds.

• Secure Amazon S3 buckets with layered controls: Use S3 Block Public Access settings to prevent accidental data exposure while also applying
  fine-grained permissions using bucket policies and access points.

• Aggregate findings with AWS Security Hub: Run automated security checks based on CIS, PCI-DSS, and AWS best practices. Send findings to EventBridge to initiate remediation workflows or notify response teams.

AWS Security Integration Best Practices

• Authentication & Authorization

  • Use IAM roles with least privilege access.

  • Enable multi-factor authentication (MFA) for administrative users.

  • Rotate IAM access keys regularly or use short-lived credentials (STS).

• Data Management

  • Use AWS Security Lake to standardize and centralize security data.

  • Normalize logs with OCSF for easier correlation.

  • Tag and classify resources consistently for visibility and compliance.

• Event Processing

  • Filter events at the source to reduce noise (e.g., only forward critical GuardDuty findings).

  • Use Amazon EventBridge to route alerts to the appropriate response functions.

  • Deduplicate events before creating incidents in downstream systems.

• API Optimization

  • Use AWS SDKs with retry logic and backoff mechanisms.

  • Paginate large datasets using next tokens.

  • Use asynchronous Lambda invocations to prevent bottlenecks in response workflows.

• Infrastructure

  • Distribute security services across multiple Availability Zones for resilience.

  • Use AWS PrivateLink for secure connectivity to services like Security Lake.

  • Enable detailed logging for services such as VPC, S3, CloudTrail, and Load Balancers.

• Automation

  • Leverage AWS Lambda and Step Functions for remediation workflows.

  • Use Systems Manager Automation documents (runbooks) for repeatable tasks.

  • Enable auto-tagging and auto-remediation for misconfigurations with AWS Config Rules.

Security Application and Version Updates

• The ServiceNow Vulnerability Response (VR) application has been updated in the Yokohama release with key enhancements focused on improving remediation workflows and vulnerability assessment, such as:

  • Manual creation of Host Remediation Tasks: Users with the sn_vul.vulnerability_analyst, sn_vul.vulnerability_admin, or sn_vul.remediation_owner roles can now manually create host remediation tasks directly within both the Vulnerability Manager Workspace and the IT Remediation Workspace.

  • Publisher-based Vulnerability Exposure Assessment: Starting with version 5.0 of Vulnerability Exposure Assessment, a new capability allows users to assess the impact of vulnerability based on the software publisher. This enables proactive threat management by prioritizing remediation for critical vendors.

  • Risk Score Details in Work Notes: From version 25.0.3 onwards, an inactive system property (sn_sec_cmn.risk_score_changes_add_worknotes) can be enabled to track changes to a vulnerable item's risk score, providing better visibility into risk fluctuations.

    
    

• Splunk has announced a future version update to the Splunk platform that includes several breaking changes. As notified in February 2025, Splunkbase app developers must ensure their apps are compatible with this new version to avoid disruptions for users on both Splunk Enterprise and Splunk Cloud Platform.

  Key compatibility considerations include:

  • Python Interpreter: Migration to Python 3.9 (versions 2.7 and 3.7 will be removed). Test compatibility using Splunk Enterprise version 9.3+ with python.version = force_python3 or the Splunk Enterprise Beta.

  • NodeJS Runtime: Upgrade to NodeJS version 20. Verify compatibility using the Splunk Enterprise Beta.

  • TLS Protocol: Usage of only TLS 1.2 is now mandatory. Older versions (SSL3, TLS 1.0, TLS 1.1) and wildcards are deprecated.

  • OpenSSL Library: Transition to OpenSSL version 3. Apps directly using OpenSSL features need testing with the Splunk Enterprise Beta and review of the OpenSSL migration guide.

  • Search API: Ensure compatibility with Search API v2 (v1 is deprecated). Test on Splunk platform version 9.2+ with v1APIBlockGETSearchLaunch=true in restmap.conf (default in Splunk Enterprise Beta).

Developers must test their apps against these changes, ideally using the Splunk Enterprise Beta. Compatibility with the new Splunk platform version will not be automatic; developers need to opt-in by confirming compatibility on the app release page on Splunkbase after successful testing.

• Fortinet has released version 6.1.0 of FortiDeceptor, introducing several new features and enhancements aimed at bolstering deception capabilities and threat detection.
  Key highlights of the FortiDeceptor 6.1.0 release include:

  • Enhanced Decoys: Significant improvements have been made to Windows and Linux decoys, including the addition of realistic documents and data to mimic real systems better and evade threat actor fingerprinting. A new Credentials Theft Protection Decoy with CITRIX gateway support allows for focused alerting on VPN login attempts with legitimate credentials, even when the decoy is exposed to the internet.

  • Expanded Deception Lures: The lure resource feature now allows users to specify services for the customization of uploaded lure resources, increasing the attack surface and deception coverage.

  • Improved Decoy Configuration: Users can now delete specific decoy IP addresses from a decoy VM with multiple network interfaces without deleting the entire VM, offering greater flexibility.

  • To get more details, refer to their official release notes.

Insights: From Our Integration Factory

• Google SecOps + OT Security: The integration between Google SecOps and OT (Operational Technology) security platforms can bridge the gap between IT security operations and industrial environments. By ingesting and analyzing telemetry from ICS/SCADA systems alongside traditional IT data, organizations can gain unified threat detection, faster incident response, and improved protection of critical infrastructure.
  

• Google SecOps + EDR: Google SecOps and Endpoint Detection and Response (EDR) tools together hold the potential to deliver comprehensive threat detection, investigation, and response across endpoints and enterprise infrastructure. By combining centralized log analytics with real-time endpoint telemetry, organizations can accelerate incident response, reduce dwell time, and enhance visibility into attacker behavior.
  

• Palo Alto’s Prisma Cloud + BAS: By Integrating Palo Alto Networks Prisma Cloud with Breach and Attack Simulation (BAS) platforms, one can enable continuous validation of cloud security controls against real-world threat scenarios. By aligning simulated attack paths with cloud workload and posture data, organizations can proactively identify coverage gaps, prioritize remediations, and improve incident readiness.
  

• AWS Network Firewall + CAASM: The integration between AWS Network Firewall and Cyber Asset Attack Surface Management (CAASM) solutions enhances network-layer defense with enriched asset visibility and context. By aligning traffic inspection with real-time asset intelligence, organizations can more effectively detect, prioritize, and respond to threats targeting cloud and hybrid environments.