The Supernova Webshell detection rule is designed to identify malicious web activity associated with the Supernova webshell used during the SUNBURST attack campaign. This analytic operates by searching for distinct patterns in web URLs referencing 'logoimagehandler.ashx' parameters such as '*codes*', '*clazz*', '*method*', and '*args*'. Such signatures suggest potential unauthorized access and arbitrary code execution within a compromised environment, which could lead to severe consequences such as data exfiltration or ransomware introduction. In case of detection, it is advisable to perform a thorough review of associated web URLs, inspect any on-disk artifacts, and analyze active processes and network connections to mitigate any identified threats. This rule is implemented via a Splunk search leveraging the Web data model, which requires that web traffic to Solarwinds Orion is being monitored effectively.