DC0100: Volume Metadata

Volume Metadata is the cloud evidence that tells defenders what storage volumes exist and how they are characterized, including identifiers, type, state, and size. For leaders, its value is less about a single alert and more about whether the organization can prove what cloud storage exists, notice unexpected changes, and support incident scoping when a volume becomes relevant to an investigation.

Executive priority

Treat this as a cloud visibility and readiness issue. If volume metadata is incomplete or not retained, incident responders may struggle to determine which storage assets existed, whether their state changed, or how large the investigative scope is. Security leaders should ask whether cloud volume inventory and activity metadata are collected consistently enough to support SOC triage, incident response, audit evidence, and cloud risk reviews.

Technical view

This ATT&CK object is a data component, not a technique. It identifies contextual cloud volume data such as volume ID, type, state, and size. SOC, cloud security, and IR teams should validate that their telemetry pipeline captures these fields from relevant cloud control-plane or inventory sources, normalizes them, and retains them long enough for investigations. No ATT&CK detection text, tactics, platforms, or relationships were supplied, so detection logic must be derived from local cloud architecture, approved volume baselines, and change-management expectations.

Likely telemetry

Cloud volume inventory records
Cloud volume identifiers
Volume type metadata
Volume state metadata
Volume size metadata

Detection direction

Validate that volume metadata is actually collected, normalized, searchable, and retained rather than assuming cloud inventory coverage exists.
Baseline expected volume states, sizes, and types so unusual or unauthorized changes can be reviewed in local context.
Correlate volume metadata with change-management records and asset ownership where available to reduce false positives from legitimate provisioning or maintenance.
Check for blind spots in unmanaged accounts, projects, regions, or subscriptions where cloud volume inventory may not be ingested.
Because ATT&CK provides no official detection guidance for this data component, tune detections using local operational patterns and incident-response requirements.

Mitigation priorities

Establish authoritative cloud volume inventory collection before building higher-level detections that depend on it.
Ensure volume metadata retention supports incident response, compliance evidence, and historical scoping needs.
Assign ownership and governance for cloud volume assets so unexpected metadata changes can be triaged quickly.
Integrate volume metadata into cloud security, asset management, and SOC workflows to avoid isolated evidence during investigations.
Review coverage periodically, especially after cloud account, region, or environment expansion.

Analyst notes and limits

The supplied object describes a data component: contextual metadata about cloud volumes. Its main defensive value is enabling visibility, scoping, and correlation. Since no relationships, tactics, platforms, or detection text were supplied, this take focuses on validation of telemetry and operational use rather than specific adversary behavior.

No official detection text, ATT&CK tactics, platforms, or relationship context were supplied. This summary does not infer a specific cloud provider, threat actor, technique, active exploitation pattern, or guaranteed detection outcome. Local cloud architecture and logging sources are required to turn this data component into actionable coverage.

Official MITRE ATT&CK definition

Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 20, 2021, 15:05 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 133d57b874e691c5...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`133d57b874e6…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DC0100
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams