DC0062: Snapshot Metadata
Contextual data about a snapshot, which may include information such as ID, type, and status
Analyst context for executives and security teams
Snapshot Metadata is an ATT&CK data component for contextual information about a snapshot, such as its ID, type, and status. For leaders, its value is not that it is a threat by itself, but that reliable snapshot context can be necessary to understand what happened during an investigation, validate backup or recovery posture, and distinguish normal administrative activity from activity that may require review.
Executive priority
Prioritize this as an evidence-quality and resilience issue. If the organization depends on snapshots for recovery, continuity, or audit evidence, teams should be able to prove they retain accurate snapshot metadata and can connect it to incident timelines. Because ATT&CK provides no mapped tactics, platforms, or relationships for this object, it should not be treated as a standalone risk signal; it should be assessed as supporting telemetry for incident response, recovery validation, and control assurance.
Technical view
SOC, detection engineering, and IR teams should validate whether snapshot records include the core context identified by ATT&CK: snapshot ID, type, and status. Since no official detection guidance or related techniques are supplied, coverage should focus on whether this metadata is collected, searchable, time-correlated, and retained long enough to support investigations. Analysts should avoid assuming maliciousness from metadata alone; its value is strongest when joined with relevant administrative, identity, system, or control-plane activity available in the local environment.
Likely telemetry
- Snapshot inventory or asset records containing snapshot ID, type, and status
- Logs or records showing changes in snapshot status over time, where available
- Administrative or control-plane records that can be correlated to snapshot metadata, where collected
- Retention and audit evidence showing whether snapshot metadata is preserved for investigation and compliance needs
Detection direction
- Validate that snapshot metadata is actually collected and normalized before relying on it in detections or investigations.
- Tune use cases to correlate snapshot metadata with other local evidence rather than alerting on metadata presence alone.
- Check for blind spots where snapshots exist but metadata is not retained, is not searchable, or lacks consistent identifiers.
- Document false-positive expectations: snapshot status or type changes may be normal administrative activity without additional suspicious context.
Mitigation priorities
- Maintain an authoritative inventory of snapshots and their metadata fields, at minimum including ID, type, and status where supported.
- Define retention requirements for snapshot metadata based on incident response, recovery, and audit needs.
- Ensure snapshot metadata can be correlated with administrative and identity activity in investigative workflows.
- Periodically test whether teams can retrieve snapshot metadata during recovery or incident-response exercises.
Analyst notes and limits
This object is a data component, not a technique. The supplied ATT&CK record contains a short description only and no platforms, tactics, detection text, or relationship context. Its practical value is as supporting evidence for environments that use snapshots, especially when assessing recovery readiness or reconstructing administrative activity.
No official detection guidance, platforms, tactics, or related ATT&CK techniques were supplied. Any environment-specific detection, risk ranking, or control recommendation requires local evidence about where snapshots are used, who can manage them, and what logs are retained.
Snapshot Metadata
Contextual data about a snapshot, which may include information such as ID, type, and status
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | fd2101b8cb75… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0062Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.