1. Home
  2. Data Components
  3. Volume Creation

Volume Creation

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

Data Collection Measures:

  • Cloud-Based Logging & Monitoring
    • AWS CloudTrail
      • CreateVolume – Logs the creation of new Amazon Elastic Block Store (EBS) volumes.
      • RunInstances – Can be correlated to detect automatic volume provisioning.
    • Azure Monitor & Log Analytics
      • Microsoft.Compute/disks/write – Captures creation of new managed/unmanaged disks.
      • Microsoft.Storage/storageAccounts/write – Detects creation of new Azure Blob Storage volumes.
    • Google Cloud Logging (GCP)
      • compute.disks.insert – Tracks new persistent disk creation.
      • compute.instances.attachDisk – Logs attachment of a volume to a running VM.
    • OpenStack Logs
      • volume.create – Captures new storage volume provisioning.
      • cinder.volume.create – Logs OpenStack Cinder block storage creation.
  • Host-Based & SIEM Detection
    • Linux/macOS System Logs
      • /var/log/syslog & /var/log/messages – Detects new mount points or attached storage.
      • dmesg | grep "new disk" – Identifies kernel messages for volume attachment.
      • AuditD: Tracks mkfs (filesystem creation) for new volume provisioning.
    • Windows Event Logs
      • Event ID 1006 (Storage Management Events) – Captures disk volume creation.
      • Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.
ID: DC0097
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
AWS:CloudTrail CreateVolume
WinEventLog:Microsoft-Windows-VSS Volume Shadow Copy Creation

Detection Strategy

ID Name Technique Detected
DET0586 Detection of NTDS.dit Credential Dumping from Domain Controllers T1003.003
DET0308 Detection Strategy for Modify Cloud Compute Infrastructure T1578