'F5 rules for AWS WAF' ruleset not working for jsp web shell attack

I have subscribed to 'F5 rules for AWS WAF' Common Vulnerabilities & Exposures (CVE) Rules in AWS market place and protected the ALB's. Even after enabled, I see my web server got affected by jsp web shell attack and found war file deployed by unauthorized user.

Can you please let me know what are the rules available to protect from jsp web shell attack?