{
  "version": 1,
  "origin": {
    "name": "worker01",
    "module": "wazuh-execd"
  },
  "command": "add",
  "parameters": {
    "extra_args": [],
    "alert": {
      "timestamp": "2021-02-01T20:58:44.830+0000",
      "rule": {
        "level": 15,
        "description": "Shellshock attack detected",
        "id": "31168",
        "mitre": {
          "id": [
            "T1068",
            "T1190"
          ],
          "tactic": [
            "Privilege Escalation",
            "Initial Access"
          ],
          "technique": [
            "Exploitation for Privilege Escalation",
            "Exploit Public-Facing Application"
          ]
        },
        "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271",
        "firedtimes": 2,
        "mail": true,
        "groups": [
          "web",
          "accesslog",
          "attack"
        ],
        "pci_dss": [
          "11.4"
        ],
        "gdpr": [
          "IV_35.7.d"
        ],
        "nist_800_53": [
          "SI.4"
        ],
        "tsc": [
          "CC6.1",
          "CC6.8",
          "CC7.2",
          "CC7.3"
        ]
      },
      "agent": {
        "id": "000",
        "name": "wazuh-server"
      },
      "manager": {
        "name": "wazuh-server"
      },
      "id": "1612213124.6448363",
      "full_log": "192.168.0.223 - - [01/Feb/2021:20:58:43 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"() { :; }; /bin/cat /etc/passwd\"",
      "decoder": {
        "name": "web-accesslog"
      },
      "data": {
        "protocol": "GET",
        "srcip": "192.168.0.223",
        "id": "200",
        "url": "/"
      },
      "location": "/var/log/nginx/access.log"
    },
    "program": "/var/ossec/active-response/bin/firewall-drop"
  }
}