How are other customers tuning the UBA Bulk Upload (and Download)? These 2 policeis seem to be the noisiest and have the most "false positives". There is no way that I can tell to have an exception for specific apps. For example, the Brave sync applications. This local app is constantly uploading small data about its browser (for sync purposes). I would love to exempt that from the Bulk Upload UBA policy.
Does the sync use the same process or URL as other services such as the Brave browser itself? If it's unique or a unique URL, perhaps you could bypass that particular traffic from steering or SSL inspection so we don't see the repeated uploads. If this is interesting traffic that you would still like to inspect I've passed this thread along to some of our internal UEBA experts to see what guidance they may have. I will reply back once I've got some additional insight.
Sam Shiflett Netskope Solution Architect - North America
@nduda R106 introduces an option to exclude particular apps from UEBA policies which should match your exact use case. Hopefully this helps!
Support App Exclusion In Application Filter UEBA supports a setting for excluding applications for predefined and custom UEBA policies. This allows selection of specific applications to exclude from evaluation for predefined and custom UEBA policies.