The analytic rule 'Java Writing JSP File' detects occurrences where a Java process is writing a '.jsp' file to disk, which may indicate the deployment of a web shell on the compromised endpoint. This is particularly critical as web shells are commonly used by attackers to gain remote access to machines, allowing potential unauthorized access, data exfiltration, further exploitation, and overall significant security risks. The detection leverages data from the Endpoint datamodel, focusing on process and filesystem activities, specifically filtering for Java executable processes like 'java', 'java.exe', and 'javaw.exe'. The rule employs a combination of Sysmon event IDs to track the necessary process and file creation events, thereby enabling monitoring for suspicious behaviors that correspond with web shell deployment. Should any instance indicate malicious intent, immediate action for containment and remediation is warranted.