As of today, Malicious User Detection considers the following threats:

1. Forbidden Activity(403)

2. Failed Login Activity

3. WAF Activity

4. IP Reputation

When API Rate Limit is configured, l7_policy_event is generated and a HTTP Response Code of 429 is sent.

Suggestion is to add API Rate Limit to Malicious User Detection.

Based on the threshold, user's threat level and mitigation action can be configured .