Suspicious Named Pipe Creation

host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2 or start) and process.name:mkfifo and
process.parent.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and
process.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not (/*fifo* or /var/tmp/dracut* or /var/tmp/portage/* or /tmp/opencode_install*.trace))