A Must Have in a RFP is to define custom signature and deploy them in Audit mode, to detect False Positives in logs, before pushing them in blocking mode.
Really, the customer SecOps team can't push in production a custom waf signature without testing it in Audit mode on production traffic before to be in Blocking mode.
A key differenciator with F5 XC is the high accuracy of the matchers in service policy rules, especially by using Transformers.
But in F5 XC you can't ceate a service policy or service policy rule in Audit mode. The "Audit mode" action is to allow the request AND generates a security event log.
I understand that Audit mode could generate a lot of logs if the matcher is too wide. However, the customer is ready to pay for this extra logs.
Could we have an option to enable logging in a Service Policy rule or at the Service Policy level?