GIM Category: pipe
The Pipe category represents events related to the creation, deletion, and use of named pipes, which are interprocess communication (IPC) mechanisms that appear as filesystem objects. Named pipes provide a one-way or duplex communication channel between processes, and are commonly used by operating systems and applications for exchanging data or signaling events. Monitoring named pipe activity is valuable for detecting abnormal IPC behavior, such as unauthorized process communications or persistence mechanisms used by malicious software.
add
Events that represent the creation of named pipes on a system. A named pipe is an interprocess communication (IPC) channel that appears as a filesystem object and allows data exchange between processes. Creation events indicate the establishment of such communication channels, whether for legitimate system operations or for ad-hoc or malicious data transfer. Monitoring these events helps identify new IPC endpoints that could be used for persistence or covert communication.
Required Fields
pipe_name
Recommended Fields
process_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
230000 |
pipe |
pipe.add |
pipe created |
A named pipe was created on the system. This typically occurs when an application or process sets up an interprocess communication (IPC) channel through the filesystem. Creation events can indicate legitimate application behavior or the setup of a custom communication channel by malware or scripts. |
remove
Events that represent the removal or deletion of named pipes from the filesystem. When a named pipe is removed, the IPC channel it provided is no longer available for communication. These events typically occur during normal cleanup or service shutdown but can also signal an attempt to conceal unauthorized IPC activity by deleting the evidence of a communication channel.
Required Fields
pipe_name
Recommended Fields
process_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
230100 |
pipe |
pipe.remove |
pipe deleted |
A named pipe was deleted or unlinked from the filesystem. This event indicates that an IPC channel was removed, ending the communication path between processes. |
state
Events that describe the operational state or state transitions of named pipes. These include successful or attempted connections between processes using pipes for communication. State events are important for understanding active IPC behavior — for example, when a process begins or ends communication through an existing pipe. Tracking state changes can help detect unexpected or unauthorized interprocess connections.
Required Fields
pipe_name
Recommended Fields
process_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
230500 |
pipe |
pipe.state |
pipe connected |
A connection was established or attempted between processes via a named pipe. This event marks active or pending communication through an IPC channel. |
default
Events that relate to named pipe activity but do not fit into a more specific subcategory. These may include vendor-specific or informational messages related to named pipe usage. This subcategory ensures that all pipe-related events can be normalized and retained even if their exact purpose or type is unknown.
Required Fields
pipe_name
Recommended Fields
process_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
239999 |
pipe |
pipe.default |
pipe event |
A generic named pipe event that does not fit a more specific subcategory or event type. This serves as a fallback classification for vendor-specific or informational pipe activity. |
