DC0086: Instance Metadata

Instance Metadata is the basic context that tells defenders what an instance is and how its state is changing, such as its name, type, or status. For leaders, its value is not that it detects an attack by itself, but that it helps security teams interpret other alerts, scope incidents, and prove which cloud or compute assets were involved in activity.

Executive priority

Treat this as a foundational evidence source for asset accountability, incident scoping, and audit readiness. If instance context is incomplete or unavailable, SOC and IR teams may struggle to determine business ownership, operational criticality, or whether suspicious activity affected a production, test, or sensitive workload. Priority should be on confirming that instance metadata is consistently collected, retained, and usable alongside other security telemetry.

Technical view

ATT&CK provides this object as a data component, not a technique, and does not specify platforms, tactics, detection logic, or relationships. SOC and detection teams should validate whether instance name, type, status, and related contextual fields are available in the environments they monitor, and whether that metadata can be joined to alerts, logs, and incident timelines. The main technical value is enrichment and scoping rather than standalone detection.

Likely telemetry

Instance name and identifiers
Instance type or class
Instance status or lifecycle state
Timestamps for metadata changes where available
Asset inventory or configuration records that can be correlated with security events

Detection direction

Do not treat instance metadata alone as sufficient detection logic; use it to enrich and prioritize other alerts.
Validate that metadata is current, normalized, and joinable to security events by stable instance identifiers.
Check for blind spots where instances exist but are not represented in inventory or monitoring data.
Tune workflows so instance status changes are interpreted with local operational context to avoid false assumptions during maintenance, scaling, or decommissioning.

Mitigation priorities

Establish reliable collection and retention of instance metadata across monitored environments.
Map instances to business ownership, environment, and criticality where local asset governance supports it.
Ensure SOC and IR tooling can correlate instance metadata with alerts and logs.
Review gaps periodically as part of asset inventory, cloud security, compliance evidence, and incident response readiness activities.

Analyst notes and limits

This object is best used as a coverage and enrichment checkpoint. It supports better incident decisions by helping analysts understand what an instance represents, but ATT&CK does not provide detection analytics or relationship context for this data component in the supplied fields.

The supplied ATT&CK fields do not specify platforms, tactics, related techniques, or official detection guidance. Any conclusion about specific cloud providers, exploitation patterns, or detection coverage requires local environment evidence outside this object.

Official MITRE ATT&CK definition

Instance Metadata

Contextual data about an instance and activity around it such as name, type, or status

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 20, 2021, 15:05 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: fd7f37e1c47b07b6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`fd7f37e1c47b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DC0086
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams