Thanks, Hallett! I had initially wanted to try your first approach, but with a narrower rule. This service has multiple callers, but the caller I'm interested in is low volume (240-ish requests a day). The challenge is we were not seeing a good way to filter down to just the low-volume caller. I may have found an HTTP Request header I can filter on, so I'm running a transaction discovery now to see if I can grab just those transactions. If I can get only those transactions into a filter, I think I can do that first approach b/c 240/day is pretty low. Does that sound like a good approach? It would be nice if we could filter on source IP range. I don't think there is a way to do that in the specifications to split out rules on a URL based on source IP range.