: Capture baselines immediately after a clean installation or security hardening, aligned with industry standards like CIS Benchmarks or DISA STIGs .
: Distinguish between "Approved and Correct," "Approved but Incorrect," "Unexpected but Harmless," and "Unexpected and Harmful" to avoid analyst fatigue. The Top Ten of File-Integrity Monitoring
: Rely on cryptographic hashing (like SHA-256) rather than just size or timestamps, which can be easily manipulated. : Capture baselines immediately after a clean installation