Yes, both. Because the Cmd agent operates in user space, you can use our trigger system (a Splunk-like CQL expression) to intercept system calls. It lets you create custom policies that whitelist commands you’d like to allow, and blacklist commands you’d like to block pre-execution. However, it can do much more than that: Cmd also supports rules that are contingent on a wide range of factors such as the time of day, which user is attempting a command, an ssh connection's IP address, and many more.
You can also add clarity to “maybe” cases by prompting remote users for additional authorization before a particular command is executed. New triggers propagate to all agents in under 30 seconds.