FAQ: Why would I search using TTY?

Linux distributions include the teletype writer (TTY) field. In a App Infrastructure Protection (AIP) event, the TTY field indicates whether or not a terminal was in use.

Using tty as a search term in the AIP Cloud Security PlatformⓇ (CSP) quickly returns information about potentially risky user behavior. For example:

  • To find all native processes running on your machine, search for tty = null
  • To find all local processes (processes not issued over a remote shell, such as ssh or telnet), search for tty = null
  • To find all commands issued over a remote shell, such as ssh or telnet, by an active user in an interactive session, search for tty != null

    Note

    Since Ansible uses ssh to issue commands, these commands will return in a tty != null search, even though Ansible is not an active user.

Was this article helpful?
0 out of 0 found this helpful