Skip to content

Hide Navigation Hide TOC

Volume Creation (dad75cc7-5bae-4175-adb4-ca1962d8650e)

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

Data Collection Measures:

  • Cloud-Based Logging & Monitoring
    • AWS CloudTrail
      • CreateVolume – Logs the creation of new Amazon Elastic Block Store (EBS) volumes.
      • RunInstances – Can be correlated to detect automatic volume provisioning.
    • Azure Monitor & Log Analytics
      • Microsoft.Compute/disks/write – Captures creation of new managed/unmanaged disks.
      • Microsoft.Storage/storageAccounts/write – Detects creation of new Azure Blob Storage volumes.
    • Google Cloud Logging (GCP)
      • compute.disks.insert – Tracks new persistent disk creation.
      • compute.instances.attachDisk – Logs attachment of a volume to a running VM.
    • OpenStack Logs
      • volume.create – Captures new storage volume provisioning.
      • cinder.volume.create – Logs OpenStack Cinder block storage creation.
  • Host-Based & SIEM Detection
    • Linux/macOS System Logs
      • /var/log/syslog & /var/log/messages – Detects new mount points or attached storage.
      • dmesg | grep "new disk" – Identifies kernel messages for volume attachment.
      • AuditD: Tracks mkfs (filesystem creation) for new volume provisioning.
    • Windows Event Logs
      • Event ID 1006 (Storage Management Events) – Captures disk volume creation.
      • Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.
Cluster A Galaxy A Cluster B Galaxy B Level
Volume Creation (dad75cc7-5bae-4175-adb4-ca1962d8650e) mitre-data-component Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1