ASM good way to differenitate legitimate and attack traffic

What is legitimate in your application and environment is generally up to you. If the request and response look legitimate to you because they conform to your applications requirements and are not malicious, but the ASM triggered a violation on it for some reason (because it detects a pattern that it finds suspicious), you ultimately can flag that violation as "allowed" and make exceptions for URL or Parameter or combination of the two, or globally, so that the ASM does not block on this specific violation for the scope chosen.

Example, if your users can submit a POSt whose body contains a parameter called "folder" and the users are allowed to use folder paths of the form "../food/cookie.php", the ASM would flag the "../" as a directory traversal attempt. Since you know that this is allowed for this particular URL, you can accept the actions proposed by the learning suggestion IF they match your expectation. Assuming that the violation meets the learning criteria configured, the ASM would suggest to disable blocking for this violation. The scope of the disabling can be URL or Global depending on how you have configured your Parameter Level in the policy.

I hope this makes sense.