The Security Incidents tab in Security Center that shows what Mod_Security has blocked is showing server IP as an offender for some specific types of attacks even though the IP is something else.
![](https://i.gyazo.com/313418ab6a503f9d477f1a79a03355ce.png)
Here's the audit log showing something else:
![](https://i.gyazo.com/ed8d4568ab663a701259b5ed2af38192.png)
I'm running Cloudflare -> Nginx -> Varnish -> Apache (with mod_cloudflare)