Here is an example of a mod_security triggered log found in the apache's error_logs:
[Mon Dec 19 21:35:23.087209 2022] [:error] [pid 14858] [client 85.62.xxx.xx:59737] [client 85.62.xxx.xx] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^(?

?:\\\\*|[^\\"(),\\\\/:;<=>?![\\\\x5c\\\\]{}]+)\\\\/(?:\\\\*|[^\\"(),\\\\/:;<=>?![\\\\x5c\\\\]{}]+))(?:\\\\s*+;\\\\s*+(?

?:charset\\\\s*+=\\\\s*+(?:\\"?(?:iso-8859-15?|windows-1252|utf-8)\\\\b\\"?))|(?

?:c(?:h(?:a(?:r(?:s(?:e[^t\\"(),\\\\/:;<=>?![\\\\x5c\\\\]{}]|[^e\\"(),/:;<=>?![\\\\x5c ..." against "REQUEST_HEADERS:Accept" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1162"] [id "920600"] [msg "Illegal Accept header: charset parameter"] [data "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [hostname "api1pdts.movistar.es"] [uri "/"] [unique_id "Y6Efa9KiCof05rv4cTuR2gAAAAs"]
Here is another one:
[Mon Dec 19 21:45:10.407002 2022] [:error] [pid 14860] [client 51.104.xxx.xx:56676] [client 51.104.xxx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "45.79.xxx.xx"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "45.79.xxx.xx"] [uri "/"] [unique_id "Y6EhtvJk_bMxXPQEVlY4BwAAAAY"]
In reporting these to microsoft and amazon they want the element that triggered the alert. To me that looks like the long string of slashes in the first example and in the second example, well, I don't know.
In order for Microsoft and Amazon to close these accounts they need evidence. That I'm at a loss to provide.