Hi everyone,
I've just submitted a feature request on GitHub to add native named pipe event collection to Elastic Defend:
Problem
Elastic Defend currently cannot detect SMB bind beacons (Cobalt Strike, Havoc, Metasploit) because it does not collect named pipe creation/connection events natively.
SMB beacons operate exclusively through named pipes - no outbound network connections, which makes them invisible to network-based detection.
Currently the only workaround is Sysmon EID 17/18 , which requires maintaining a separate agent alongside Elastic Agent.
Request
Add pipe_created / pipe_connected events to Elastic Defend telemetry - equivalent to Sysmon EID 17 and 18.
This would enable detection of:
- Cobalt Strike SMB beacons (\.\pipe\msagent_, postex_)
- Lateral movement via named pipes (PsExec pattern)
- Privilege escalation via named pipe impersonation (T1134.001)
This diagram shows a real-world Adaptix C2 scenario where an SMB bind beacon (p0) communicates laterally to a Domain Controller exclusively via named pipes - completely invisible without Sysmon EID 17/18 or native Elastic Defend pipe event collection.
And allow existing prebuilt rules to work WITHOUT Sysmon:
- "Privilege Escalation via Rogue Named Pipe Impersonation"
Ask
If this is important to you - please 
the GitHub issue and comment with your use case. More votes = higher priority!
Thanks