this rule would help determine if a DDOS attempt is or isn't occurring.
Something like this?
search for web page hits | bin span=1m _time | stats count by _time uri | where count > 120
That'd give you a list of URIs that had an average of over two hits per second along with the minute in which that occurred.