I've gone through DevCentral so I know similar questions have been asked, but none have the right answer.
When I type this URL: [HTTPS] /en/ty.exe, I get a violation/ support ID for the following:
Illegal file type 
Illegal URL length 
Illegal request length 
The traffic is quite rightly blocked, but nothing appears within the learning suggestions.
All of the violations are set to learn in the "learning & block settings".
The policy is in manual learning with a
Does everything that appears in the event logs not create a learning suggestion even if you've got it set to do so?
Is this decided by the ASM policy learning speeds? (Fast, enhanced and comprehensive)
In learning page, click on filter / advanced and move the cursor from 5 to 0!
Default learning suggestion under 5% are not displayed!
I tried that and it wasn't the case.
Looks like they have something in place to not provide learning suggestions for users from certain IPs (works fine for external users). I've checked the IP address exceptions and there's nothing there for their IP.
As a note, it's an F5 in Azure.
They copied their ASM policies from a previous Azure F5 running 12.1.1 and they weren't having this issue.
No learning suggestions are generated from their internal IPs, but it can be generated from external ones.