How are other customers tuning the UBA Bulk Upload (and Download)? These 2 policeis seem to be the noisiest and have the most "false positives". There is no way that I can tell to have an exception for specific apps. For example, the Brave sync applications. This local app is constantly uploading small data about its browser (for sync purposes). I would love to exempt that from the Bulk Upload UBA policy.
Hello @nduda,
Does the sync use the same process or URL as other services such as the Brave browser itself? If it's unique or a unique URL, perhaps you could bypass that particular traffic from steering or SSL inspection so we don't see the repeated uploads. If this is interesting traffic that you would still like to inspect I've passed this thread along to some of our internal UEBA experts to see what guidance they may have. I will reply back once I've got some additional insight.
@nduda R106 introduces an option to exclude particular apps from UEBA policies which should match your exact use case. Hopefully this helps!
Support App Exclusion In Application Filter
UEBA supports a setting for excluding applications for predefined and custom UEBA policies. This allows selection of specific applications to exclude from evaluation for predefined and custom UEBA policies.
Reply
Login to the community
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account
Login with SSO
Employee Partneror
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.