How should I write Elastic rule that detect if excessive denied SMB traffic from a single host?
Hello there 
,
It is dependent on the data source you are using, but I assume you may be referring to firewall logs due to "denying".
The easiest way would be to use a threshold rule similar to the following:
.
There are other options as well that may make sense, depending on the data and expectations. The best way to discuss these are directly within our detection-rules repo. If you open an issue, you can collaborate with the team to come up with a solution (and possibly merge into production).
We also have several existing rules which target SMB traffic in various ways.
Hope this helps!
Justin