Re-visiting ModSecurity ...
Hopefully, you've a linux server. Recently involved in assisting a Moodle OP that hosted with a provider that supplies centos7 templates allocated by Web Hosting Management. It's been a learning 'experience'.
Installing Moodle via git and cli, no issues. ModSecurity actually taken out of the loop as git installed Moodles don't use the web service.
As far as 'false positives' ... the makers of ModSec are aware and are trying their best to ID those false positives - imagine that keeps them extremely busy. :\
Did find in these forums @ https://moodle.org/mod/forum/discuss.php?d=95086 some info shared that did help, a little. Actually seeing the same moodle file modedit.php that triggered MS .. that was back in 2013 ... today ... same thing with Moodle 3.4.x and 3.5.x.
Can offer one tip in finding the issues ... below is a command line query of apache error logs:
grep -a ModSecurity /usr/local/apache/logs/error_log | grep -a dev
On the system upon which I was working grepping the error_log required the -a switch. And as can see, searching for 'ModSecuity' references. The |grep -a dev ... the 'dev' was an instance of Moodle ... url was https://site/dev/
In viewing what that found, key things ... the URL ... like /dev/modedit.php and the MS ID number.
Those two bits of info used in configuring a whitelist item.
/etc/apache2/conf.d/modsec2/whitelist.conf
<LocationMatch "/dev/course/modedit.php">
SecRuleRemoveById 300015
</LocationMatch>
Then checking for typo's:
apachectl -t
IF apachectl says 'OK' ... restart apache and hopefully the 'false positive' error will go away and one can get on down the road.
One of the side affects of this is seen in your DB stats ... number of dropped connections. The MS was claiming the script to be an attempt at XSS SQL Injection ... which it was not - but MS didn't stop it before a connection was opened to the DB (that's a guess).
Know it's a pain ... but might be well worth it ... especially if you notice your server is poked and probed often.
'spirit of sharing', Ken