How to block Time-Based Blind SQL Injection Attacks

I have a web app and a PT was successful to perform this attack:

https://mywebsite/Login.aspx?test=;waitfor delay '0:0:__TIME__'—

The VS has ASM profile with server technologies:

• IIS
• MSSQL
• ASP.NET
• Microsoft Windows

The policy is in blocking mode

I don't want to remove "test" parameter from the parameters list

In the ASM policy I see Signature ID: 200002548

"SQL-INJ waitfor delay (URI)" in Block = YES and Enable = YES

I don't understand why the ASM is not blocking this attack?

How do I block this kind of attack using attack signatures?