This rule is designed to detect the creation of suspicious named pipes by monitoring the execution of the `mkfifo` command on Linux systems. Named pipes are a form of Inter-Process Communication (IPC) that can be exploited by attackers to maintain persistence or execute hidden commands within a system. The rule utilizes a new_terms detection technique that focuses on identifying uncommon command-line arguments passed to the `mkfifo` command, specifically looking for pipes created in commonly used temporary directories such as `/dev/shm`, `/tmp`, or `/var/tmp` that do not follow typical naming conventions for FIFOs. By analyzing the parent process and ensuring it's executed from a Unix shell, the rule seeks to minimize false positives and enhance threat detection accuracy. This rule is integral for maintaining the security posture in environments relying on Elastic Defend for endpoint monitoring, as it provides a crucial early warning signal against possible malicious behaviors.