CPC G06F 21/554 (2013.01) [G06F 11/3636 (2013.01)] | 20 Claims |
1. A system, comprising:
a first processor; and
a memory coupled to the first processor, the memory storing instructions that configure the first processor to:
receive telemetry denoting that a program has been invoked on a node via a process;
determine that the invoked program is a shell based at least on a program path and name information associated with the process;
subsequent to determining that the invoked program is a shell, receive additional information including timing information associated with commands entered into the shell;
based at least in part on the received additional information, determine that the program is an interactive shell interactively operated by a user;
in response to determining that the program is an interactive shell, configure the node to tag one or more commands entered into the interactive shell for storage and query with a tag identifying the one or more commands as interactive shell commands associated with the program; and
manage a security policy for the node based on the tagged interactive shell commands.
|