So for DoS protection on the ASM there is two threasholds.
Per IP
In this case the ASM will block only the offending that crosses the latency or TPS threshold that you have set for an individual IP address.
Per URL:
In this case my understanding is that once the total latency or TPS threshold is crossed for a single URL that the ASM will throttle requests to the historical average. I do not believe there is delineation between attacking IP addresses and legitimate traffic, as the it is just looking at traffic rates to a single URL on your site and trying to keep those in check. This way some legitimate traffic should get through but most likely some will get stopped.
The protection on the ASM seems to me to be more DoS related rather than DDoS related