Volume Creation (dad75cc7-5bae-4175-adb4-ca1962d8650e)
The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
Data Collection Measures:
- Cloud-Based Logging & Monitoring
- AWS CloudTrail
CreateVolume
– Logs the creation of new Amazon Elastic Block Store (EBS) volumes.RunInstances
– Can be correlated to detect automatic volume provisioning.
- Azure Monitor & Log Analytics
Microsoft.Compute/disks/write
– Captures creation of new managed/unmanaged disks.Microsoft.Storage/storageAccounts/write
– Detects creation of new Azure Blob Storage volumes.
- Google Cloud Logging (GCP)
compute.disks.insert
– Tracks new persistent disk creation.compute.instances.attachDisk
– Logs attachment of a volume to a running VM.
- OpenStack Logs
volume.create
– Captures new storage volume provisioning.cinder.volume.create
– Logs OpenStack Cinder block storage creation.
- AWS CloudTrail
- Host-Based & SIEM Detection
- Linux/macOS System Logs
/var/log/syslog
&/var/log/messages
– Detects new mount points or attached storage.dmesg | grep "new disk"
– Identifies kernel messages for volume attachment.- AuditD: Tracks
mkfs
(filesystem creation) for new volume provisioning.
- Windows Event Logs
- Event ID 1006 (Storage Management Events) – Captures disk volume creation.
- Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.
- Linux/macOS System Logs
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Volume Creation (dad75cc7-5bae-4175-adb4-ca1962d8650e) | mitre-data-component | Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) | Attack Pattern | 1 |