diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
index 3075d846d..896120677 100644
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
    selection_MSSE:
       PipeName|contains|all: 
diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
index 8a6529609..150b8dda7 100644
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
    selection:
       - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
index 9ee3bbae4..52c6de087 100644
--- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
+++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
    selection_malleable_profiles:
       - PipeName|startswith: