The SOC analyst at a national cybersecurity agency detected unusual system behavior on critical infrastructure...

Capturing and comparing system snapshots before and after suspected compromise is a core method of host integrity monitoring. The goal is to detect unauthorized changes to critical system components such as registry keys, scheduled tasks, services, binaries, configuration files, and security settings. By comparing a known-good baseline snapshot to a suspected-compromised state, analysts can identify what changed, when it changed (with supporting timestamps), and which changes are anomalous relative to expected patching or administrative activity. While this activity can occur within a broader digital forensics investigation, the specific technique described—baseline comparison to detect unauthorized modification—is integrity monitoring. Signature-based detection focuses on matching known indicators (hashes, strings, known patterns) and does not rely on before/after snapshot comparison. Threat intelligence gathering is about collecting and analyzing information on external threats, not directly comparing host states. From a SOC standpoint, integrity monitoring supports rapid scoping and eradication because it highlights persistence and tampering mechanisms that must be removed and can reveal stealth modifications that evade signature scanners. It also supports compliance requirements by demonstrating configuration control and unauthorized-change detection capabilities.