ASM does not protect against zero-day or OWASP top ten etc automatically you have to customise your policy by teaching ASM what should be allowed, ASM has negative & positive security model potential. however, initially, it's default deny whether you are in learning or blocking mode unitil you accept the request or responses. Either option in positive or negative security both involve learning and customizing the ASM, there nothing automatic from what I have seen thus far.
The positive security model might be automated by telling the Crawbar to crawl your backend servers, however if you have dynamic urls or pages then it would work.
It's a long and painful process I am afraid.