App Firewall security event include a section called app_firewall_info. This section is available via the Security Event (json). But in a Global Log Receiver type Splunk (not checked with others), it is not included.
"app_firewall_info": { "name": "my-policy", "action": "block", "description": "Disallowed response code (404)" },
now working properly