As of today, Malicious User Detection considers the following threats:
Forbidden Activity(403)
Failed Login Activity
WAF Activity
IP Reputation
When API Rate Limit is configured, l7_policy_event is generated and a HTTP Response Code of 429 is sent.
Suggestion is to add API Rate Limit to Malicious User Detection.
Based on the threshold, user's threat level and mitigation action can be configured .