This detection rule focuses on identifying potentially malicious activity associated with the creation of named pipes using the `mkfifo` command in Linux. Named pipes are a method of IPC (Inter-Process Communication) that can be used by legitimate processes, but may also indicate abnormal or suspicious behavior when created in certain locations, such as `/tmp/`. The detection is implemented by monitoring process creation events specifically for instances where the `mkfifo` utility is used to generate a named pipe with a command line containing `/tmp/`. This surveillance can help security teams detect potential exploitation attempts or other suspicious activities occurring in the system. Given that `/tmp/` is a common directory for temporary files, it can be leveraged by attackers to obscure their activities. Thus, this rule seeks to add an additional layer of monitoring and alerting on cloud and on-premise Linux environments.