In a log of a Disallowed response code, the upstream response code is not present in UI and present in JSON log key app_firewall_info.description. For example "description": "Disallowed response code (404)" (see attached file).
SecOps user would like to filter security event on a specific code. He can't do that in filter menu and in column list.
Error response code returned by the upstream is a criteria for security analytics. Having the ability to filter on upstream response code, even it was blocked by WAF, will improve incident resolution.