{
  "version":1,
  "origin":{
    "name":"worker01",
    "module":"wazuh-execd"
  },
  "command":"add",
  "parameters":{
    "extra_args":[],
    "alert":{
      "timestamp":"2021-02-01T20:58:44.830+0000",
      "rule":{
        "level":15,
        "description":"Shellshock attack detected",
        "id":"31168",
        "mitre":{
          "id":["T1068","T1190"],
          "tactic":["Privilege Escalation","Initial Access"],
          "technique":["Exploitation for Privilege Escalation","Exploit Public-Facing Application"]
        },
        "info":"CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271",
        "firedtimes":2,
        "mail":true,
        "groups":["web","accesslog","attack"],
        "pci_dss":["11.4"],
        "gdpr":["IV_35.7.d"],
        "nist_800_53":["SI.4"],
        "tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]
      },
      "agent":{
        "id":"000",
        "name":"wazuh-server"
      },
      "manager":{
        "name":"wazuh-server"
      },
      "id":"1612213124.6448363",
      "full_log":"192.168.0.223 - - [01/Feb/2021:20:58:43 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"() { :; }; /bin/cat /etc/passwd\"",
      "decoder":{
        "name":"web-accesslog"
      },
      "data":{
        "protocol":"GET",
        "srcip":"192.168.0.223",
        "id":"200",
        "url":"/"
      },
      "location":"/var/log/nginx/access.log"
    },
    "program":"/var/ossec/active-response/bin/firewall-drop"
  }
}