The client is using the SQL Threat Protection assertion for validating Response messages from the HTTP Routing assertion. The assertions are grouped into an included fragment to create a reusable building block. As long as this part is used as an included fragment it is working as expected and throws errors for messages with a possible security threat. However when this fragment is used to create an encapsulated assertion and used instead in the policy it never fails and all messages are incorrectly successful.
The same construction working on the request message is ok, as well as used as for a fragment as used as an encapsulated assertion.
Is this a bug or can we achieve somehow to have the encapsulated assertion work with SQL threat protection on the default response message?
In the threatProtectionOnResponse encapsulated assertion properties window, please check the checkbox 'Update routing statistics in parent policy'.
This issue was resolved by changing the configuration of the Encapsulated Assertion.
You can refer to the attached .docx file for the exact configuration change.