I have been wrapping my head around how to make incident when some client IP address is making huge amount of calls to the monitored site and how we could make an business transaction which would show the client IP which is making the calls?
The purpose would be to catch the situations when someone is scanning the site and the call amount is abnormal compared to normal situtation.
Try creating a Visit BT with filter on Web Request - URI Pattern to only consider calls to the site you mention, split by Web Requests - Client IP Address. Threshold of the Web Request - URI Pattern should be set to what you consider an abnormally high amount of calls to the website. The incident can then be created on the Visit Count measure of the BT with the threshold of 1 (since we're interested in capturing any such client); I would set the timeframe to 1 min/ 5 min.
My logic behind this is that a 'scanner' will perform all of its actions in bulk within that same visit, so we're counting the number of requests within a visit from an IP. If this were a Server-side BT, we wouldn't be able to narrow BT results to only high numbers of calls as the filter is applied per PurePath (which most likely calls would end up generating separate PurePaths) and would probably end up in a measure explosion due to the splitting by client.
Try this configuration at first with a threshold that you can breach through testing (maybe run a test against your website to generate a few more calls than you average user) and see if the reporting suits your needs, then increase to the value which would indicate a 'scanner'.
Hope this helps.
We don't have the UEM with this particular customer so I'm relaying what we can do with server side purepaths and it's our case that these requests are coming in as separate purepaths. Luckily we are using DC Rum with them also so can have baseline based alerts trough that one too but the AppMon part would just be the final frontier to catch these.
"If this were a Server-side BT, we wouldn't be able to narrow BT results to only high numbers of calls as the filter is applied per PurePath (which most likely calls would end up generating separate PurePaths) and would probably end up in a measure explosion due to the splitting by client."
Yes this is important if a lot of traffic is seen from a large number of IPs - unfortunately not storing in the Performance Warehouse means incidents can't be triggered for that business transaction. I've seen some people play around with this but not any great methods of alerting on this - mainly just some will review it at certain periods to see if there are any unusual traffic patterns.