Hello,
You can find the definition of all scenarios in the hub: https://hub.crowdsec.net/.
The HTTP-probing scenario is here: CrowdSec Hub.
It triggers when a client generates too many 400,403 or 404 errors.
You can also get more infos about a decision by getting its id (from cscli decisions list) and running cscli alerts inspect -d THE_ID (note that this will only contains metadata about the attack, you’ll also probably want to grep the IP that was banned in your log to see exactly what kind of requests it did).