ASM automatic learning policy

Each violation is assigned a percentage value which reflects the progress of learning for each entity or item. This percentage value is called the Learning Score. For each request, ASM tracks the originating IP address, the time the HTTP session was opened, how many requests have been made, any violation ratings that have been assigned, and numerous proprietary rules of varying tolerance. The staging status of any entities or violation items is also considered for calculating the learning score. High-rated illegal requests will lower the score and slow down the acceptance of the respective suggestions induced by those requests, while speeding up and raising the score for suggestions induced by low-rated requests. You are correct that in automatic mode, a learning suggestion is accepted when the learning score reaches 100 percent. You can test this by creating a trusted IP address, and then sending a request from that IP--the score will be 100 percent immediately because the request came from a trusted source. In production, this takes longer. Check out the Policy Building Process menus on the traffic learning screen. You can see how many requests from different IP addresses must be processed for loosening and tightening the policy. In your example, 512 requests triggered a specific violation--if numerous requests are triggering the same one, then ASM will ultimately decide that those requests are valid and that the violation is a false positive. Make sense?