Ok, so by default we have a rule that logs all applications, on any host, at any time, on any service, on all adapters, on any screen to allow and write to both the packet and traffic log. But like I mentioned, if it is any extended period of time, the logs have been rewritten.
What happens on a Friday evening at 5:30 EST and someone in PST decided to do something they shouldn't have. Monday morning the logs are gone. If there was some way of saying hey something just happened, maybe I should grab the last 500 packets, bundle them up and send them to someone who can do something about it.
I will look into learned application.