This detection rule focuses on identifying activities related to Named Pipes within the Windows operating environment by leveraging Sysmon event logs. Specifically, it captures events where named pipes are either created (Event ID 17) or connected to (Event ID 18), indicating possible malicious activity. Named pipes are often used in local inter-process communication but can also be exploited by threat actors for command-and-control operations or process injection techniques as part of their malicious toolkit. In this case, the rule is particularly relevant for detecting activity associated with known threat actors, such as Earth Estries, and notable malware families like Conti and Rhysida. The implemented logic efficiently filters Sysmon data for events that meet the criteria, providing analysts with key metrics about the hosts and users involved, alongside the timing of these events.