Ultrasurf is a desktop VPN which can be used to avoid firewalls blocking the traffic.  This can allow malware to ingress or allow sensitive information to egress. Identifying the VPN would help to find systems with the application installed.  This also holds true for other VPNs, not just Ultrasurf. 

Ultrasurf, or other VPNs, are just another application.  The filter application_id=Ultrasurf is sufficient to identify the traffic as it is one of thousands of applications we have identifying fingerprints for.

Add application_id=Ultrasurf to any filter bar search or to a favorite for creating a rule for the traffic.