It will depend heavily on the site type and what are you looking for. We need to detect abnormal behavior.
For a small site, a peak of 30% increase in GB consumption might present a problem, but for an eCommerce or media site that's pretty normal. On our normal threshold for media sites, we use a 100% increase in requests and bandwidth for a 2 hours duration minimal as an alert, and most of the times it's a false positive, just a traffic fluctuation.
I think the key is, is the traffic fluctuation something that has happened before? are requests consistent with the bandwidth usage?
I'm available to explore options.