If the following search shows the top 5 source IP's
host="1.1.1.1" firewall OUT=vNic_1 action_abbr=ACCEPT_ | top limit=5 SRC
How can I alert if a single IP is greater than 25% of the events?
Try this (save search as an alert):
host="1.1.1.1" firewall OUT=vNic_1 action_abbr=ACCEPT_ | top limit=5 SRC | where percent > 25