There are two primary triggers for this search -- one is the categories being excluded, and the other is the number of denies that you want to trigger on. There is no standard best practice for either of these, so you can adjust these values to be whatever makes sense for your organization. The most common way we hear of this detection being described is to target suspicious internal users, so most organizations will adjust the filters to look for Acceptable Use Policy violations (e.g., browsing gambling sites) as opposed to denies that are tied to security hygiene (e.g., phishing). That said, you could absolutely implement it in both directions if you so desired. The threshold for triggering would likely be different between those categories though, as a human will likely quit relatively early when they see deny messages versus a script that gets timeouts instead of a big error message.
If this searches creates too many false positives in your environment, it may be because some of your users just generate a very large number of proxy denies on a regular basis. The first bet for dealing with this would be basic tuning of the categories you alert on. If that is not sufficient, you can instead implement this as a per-user time series detection. Look for the # of unauthorized detections per day per user, and then alert when any user exceeds their baseline. You can base this on any of the time series detections in Splunk Security Essentials -- a common and easy one would be to look at Increase in Interactive Logons (just swap out the field names and base dataset and implementation will be easy). There's one important adjustment you would need in order to make that work for you though -- because most users don't see proxy denies often, most of your users will end up with very low averages and low standard deviations. To guard against this, in addition to tracking that the most recent # of denies per day is more than 3 (or 6, or whatever) stdev above the average, you should also make sure that the most recent # is more than 5 (or 10, or whatever). That way you don't accidentally alert on a user that just had one deny (no matter how anomalous a deny is for that user).