This detection rule flags non-root creation of files under Linux sandbox-related temp directories used by snap confinement. Specifically, it watches for file creation events in /tmp/.snap and /tmp/snap-private-tmp/*/tmp/.snap where the initiating user is not root. In vulnerable Ubuntu environments, the snap-confine/snapd sandbox can be manipulated if an unprivileged user can recreate stale /tmp/.snap content after cleanup, allowing attacker-controlled libraries or configuration to be introduced into the next sandbox initialization and potentially escalate to root. The rule uses a Linux file event (host.os.type == linux, event.action == creation) with file.path matching the two paths and user.id != "0" to detect early stages of CVE-2026-3888 exploitation. It serves as a high-severity alert to prompt containment, investigation, and remediation before privilege escalation completes. The rule is integrated with Elastic Defend and leverages Linux file events from the endpoint data stream; it should trigger triage steps, containment actions, and validation of patches and mitigations (snapd/vendor fixes).