Web server security against web shell attack


I have to create a watchlist in EDR to secure our web servers against webshell attack in the organization. Now can anyone suggest me what should be a watchlist query that will detect the webshell attack. Is it should be file modification in the inetpub\wwwroot ? but it will create a lot of false positive. Please help me.