This rule is designed to detect suspicious activities associated with the Print Spooler service on Windows systems. Specifically, it looks for attempts to create SPL files (spooled printer files) in locations related to the Print Spooler, which can indicate exploitation attempts of known vulnerabilities such as CVE-2020-1048 and CVE-2020-1337. The rule uses EQL (Event Query Language) to identify files with the '.spl' extension that are not created by commonly trusted processes, indicating potential malicious activity. The detection focuses on detecting unusual processes that write to the printer spool directory, suggesting an attacker's attempt to escalate privileges by exploiting the Print Spooler service. Furthermore, the rule provides a comprehensive investigation guide for analysts, including steps for examining related processes, network activities, and service configurations to determine the legitimacy of the actions. It encourages analysts to validate findings against external sources and conduct thorough investigation procedures to understand and respond to potential threats effectively.