DC0097: Volume Creation
The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
Analyst context for executives and security teams
Volume Creation is evidence that new block storage has been provisioned in a cloud or on-prem environment. For leaders, this matters because storage growth can be normal business activity, but it can also affect cost, data exposure, backup posture, and incident scoping. Without visibility into when volumes are created and by whom, teams may struggle to prove control over data storage, investigate suspicious infrastructure changes, or explain unexpected capacity and compliance risk.
Executive priority
Treat this data component as a control and evidence question: can the organization account for new storage volumes across relevant environments, tie them to approved users or workloads, and determine whether they contain regulated or business-critical data? Priority is highest where unmanaged storage could create audit gaps, increase cloud/on-prem cost, complicate backup and retention obligations, or slow incident response during infrastructure investigations.
Technical view
ATT&CK defines this component only as the initial provisioning of block storage volumes in cloud or on-prem environments. Because no tactic, platform, detection logic, or relationship context is supplied, SOC and IR teams should use it as a telemetry validation item rather than a standalone detection. Validate whether storage provisioning events are logged, normalized, time-synchronized, and attributable to an identity, service account, automation process, workload, project, account, or host context. Detection engineering should focus on distinguishing expected provisioning from unusual creation patterns based on local baselines and approved change processes.
Likely telemetry
- Cloud or infrastructure control-plane events for block volume creation
- On-prem storage management or virtualization platform audit logs for volume provisioning
- Identity and access logs showing the user, service account, role, or automation that initiated creation
- Change-management or infrastructure-as-code records associated with approved storage provisioning
- Asset inventory or CMDB updates showing newly created volumes, ownership, tags, and attached workloads
Detection direction
- Confirm that volume creation events are collected from all relevant storage management planes before writing behavioral analytics.
- Correlate creation events with identity, workload, project/account, tagging, and change-ticket context to reduce false positives from normal scaling, backup, or deployment activity.
- Baseline expected provisioning by environment, business unit, automation pipeline, and time window; investigate deviations such as unapproved creators, unusual volume counts, unexpected locations, or missing ownership metadata.
- Watch for blind spots where storage is created outside centralized automation, without required tags, or in environments not integrated with the SIEM or logging pipeline.
- Use this component as supporting evidence in investigations rather than as proof of malicious activity by itself, since the ATT&CK object supplies no associated technique relationships or detection guidance.
Mitigation priorities
- Require centralized logging and retention for storage provisioning events across cloud and on-prem environments.
- Enforce identity-based access control and least privilege for roles that can create block storage volumes.
- Use approval, tagging, ownership, and infrastructure-as-code controls so new volumes can be tied to legitimate business purpose.
- Monitor quotas, cost anomalies, and asset inventory drift to surface untracked or excessive volume creation.
- Include newly created volumes in backup, data classification, retention, and incident response scoping processes.
Analyst notes and limits
This is a data component, not an adversary technique. Its value is in confirming whether defenders have reliable evidence of storage provisioning activity. In Glexia service terms, it supports cloud security, infrastructure monitoring, compliance evidence, incident response scoping, and managed detection content validation when paired with local baselines and change context.
The supplied ATT&CK fields provide no official detection text, tactics, platforms, relationships, or procedure examples. Any assessment of suspiciousness, active abuse, specific platform coverage, or detection fidelity requires local telemetry, architecture, and change-management evidence.
Volume Creation
The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | c746c1dbc62e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0097Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.