An analytic that flags potential web shell creation in the VMware Workspace ONE path on Windows and Linux endpoints by monitoring Sysmon FileCreate events (Sysmon EventID 11) via the Endpoint filesystem data model. It scans for newly created JSP files located under VMware Horizon Workspace webapps directories (both Windows and POSIX style paths) and captures metadata such as destination host, file creation time, and the spawning process (process_path, process_guid, process_id, file_path, file_name, user, vendor_product, action). The rule targets CVE-2022-22954 exploitation attempts that deploy web shells in VMware Workspace ONE and aligns with MITRE ATT&CK technique T1505.003 (Web Shell). Implementation requires ingesting endpoint EDR telemetry with process GUID/name, parent process, and full command line, mapped to the Endpoint Processes CIM. Known false positives include legitimate software updates or administrative scripts creating files in the VMware Workspace ONE path; review and allow trusted processes to reduce noise. References include the CVE advisory related to VMware vulnerabilities.