This detection rule, authored by Elastic, aims to identify suspicious file creations in the IRJ directories of the SAP NetWeaver application, specifically monitoring for potential webshell deployments. The rule triggers on file creation events where the file extensions are Java-related (jsp, java, class) and located in specified paths indicative of SAP NetWeaver. The rule leverages EQL (Event Query Language) to filter out events based on OS type (Linux or Windows) and file actions. Given the context of exploitation related to SAP vulnerabilities, such as CVE-2025-31324, the rule has a high severity rating and a risk score of 73. The rule includes a thorough investigation and response strategy, urging practitioners to analyze the creation events, review associated HTTP logs, and check for indicators of compromise. Immediate remediation steps are advised, including isolating the affected host and terminating suspicious Java processes. Key references related to the underlying vulnerabilities and escalation procedures are included to assist in broader enforcement.