Observing the cadence and timestamps of command executions is a good indicator of hands-on-keyboard attacks and is a good way to differentiate between automation and someone actually at the keyboard.
Commands executed with enough time in between them for them to be typed or for the output to be reviewed by a person before the next command is executed stands out vs several commands executed in rapid succession via a script or automation process.