cscli scenarios install crowdsecurity/modsecurityTake a remediation against an IP that trigger a modsecurity rule with a CRITICAL severity.
1type: trigger2#debug: true3name: crowdsecurity/modsecurity4description: "Web exploitation via modsecurity"5#modsec for nginx only logs the numerical value of the severity6filter: evt.Meta.log_type == 'modsecurity' && (evt.Parsed.ruleseverity == 'CRITICAL' || evt.Parsed.ruleseverity == '2')7blackhole: 2m8groupby: evt.Meta.source_ip9labels:10 remediation: true11 classification:12 - attack.T159513 - attack.T119014 behavior: "http:exploit"15 label: "Modsecurity Alert"16 spoofable: 017 confidence: 218 service: http19