That’s my point. Though, maybe there is something to be said for blocking things like OWA vulnerabilities as compared to generic xss/sqli detection rules.