I had today an attack due to a plugin but I think this could help on
Shield to mitigate these types of issues.
The request is to be able to add to this feature:
Brute Force Traffic Rate Limiting under traffic log settings the
possibility to limit the rate only for certains URLs or calls.
In my case the attack was happening to the /wp-admin/admin-ajax.php
but of course the firewall did not mark this as suspicious, so the
bots were free to go.
Being able to rate limit the calls to that url would have helped me a lot.