Also, you can ask the app team if they have some sort of user-acceptance testing. We deal with a ton of websites that have poor documentation, so the app team has no idea about specific parameters or URLs. If you are looking for some specifics while ASM traffic learning is on, here are some thoughts:
- Make sure the app team uses any/all forms, especially those that accept user-input
- If the app/website allows for file uploads, they need to use these
- Structured languages like XML/JSON should be exercised during learning
- Non-browser clients (if used at all) should be used by app team
- If they have any vulnerability scanner make sure they turn it off, or create a learning exception in your policy for the scanner's IP
- If they will be consistently testing from a source IP, or even multiple source IPs, then you can establish those as trusted in your policy to speed up learning
That's all I can think of off-the-top without having much more info about your policy. Also, depending on your tuning, those thoughts may or may not help you with the end results. But hopefully they do!
Nimbostratus