This detection rule targets vulnerabilities in the CUPS printing system, specifically identifying instances of suspicious file creation events linked to the child processes of foomatic-rip. The highlighted vulnerabilities include CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, which could be exploited by remote unauthorized attackers leveraging crafted IPP requests or malicious UDP packets to execute arbitrary commands when a print job is initiated. The detection uses EQL to monitor the process execution behavior, particularly from foomatic-rip, and correlates these activities with file creation events. This rule emphasizes comprehensive investigation steps, the use of various references for deeper insight into potential attacks, and outlines necessary responses to mitigate any identified threats. It also highlights collaboration strategies by detailing other related rules and recommends isolating affected systems to prevent future exploitation.