What are peoples thoughts on the best way to turn a SIEM rule into a SUMO Query, leveraging the advantages of sumologic analytics?

Example (Qradar Rule): Apply Anomaly: Excessive Firewall Denies from Multiple Sources: Firewall or ACL Denies with the same destination IP more than 400 times, across exactly 2 source IP within 2 minutes Qradar uses the turn Anomaly here incorrectly (IMHO) so don't let that throw you! 2 questions to spark conversation: 1. Would this be better as an outlier query to avoid having to tune it constantly? 2. How would you write it to get a similar (and smarter) alert?