[DLP] AI context analysis (#21055)

maxvp · KianNH · commit 0ac6c7a5cf5c · 2025-03-26T19:35:24.000Z
* Remove first match note

* Rename confidence levels --&gt; confidence thresholds

* Remove old context analysis section

* Add additional context

* Add how to report true/false positives

* Fix broken links in changelog

* Discard changes to src/content/release-notes/dlp.yaml

* Remove redirects

* Add procedure for editing profile settings

* Add procedure for setting up AI

* Add confidence levels redirect

* Discard changes to public/__redirects
diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
@@ -43,12 +43,25 @@ Data Loss Prevention will now store a portion of the payload for HTTP requests t
 3. Select **Decrypt Payload Log**.
 4. Enter your private key and select **Decrypt**.
 
-You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload. Note that DLP currently logs only the first match.
+You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload.
 
 :::note
-Neither the key nor the decrypted payload will be stored by Cloudflare.
+Cloudflare does not store the key or the decrypted payload.
 :::
 
+### Report false and true positives to AI context analysis
+
+When you have [AI context analysis](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can train the AI model to adjust its confident threshold by reporting false and true positives.
+
+To report a DLP match payload as a false or true positive:
+
+1. [Find and decrypt](#4-view-payload-logs) the payload log you want to report.
+2. In **Log details**, choose a detected context match.
+3. In **Context**, select the redacted match data.
+4. In **Match details**, choose whether you want to report the match as a false positive or a true positive.
+
+Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile.
+
 ### Data privacy
 
 - All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx
@@ -7,58 +7,73 @@ sidebar:
 
 import { Badge } from "~/components";
 
-This page lists the advanced settings available when configuring a [predefined](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile.
+This page lists the profile settings available when configuring a [predefined](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. You can configure profile settings when you create a custom profile or [edit profile settings](#edit-profile-settings) for an existing predefined or custom profile.
 
-## Match count
+## Edit profile settings
+
+To edit profile settings for an existing predefined or custom DLP profile:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**.
+2. Choose a profile, then select **Edit**.
+3. In **Settings**, configure the [settings](#available-settings) for your profile.
+4. Select **Save profile**.
+
+## Available settings
+
+The following advanced detection settings are available for predefined and custom DLP profiles.
+
+### Match count
 
 Match count refers to the number of times that any enabled entry in the profile can be detected before an action is triggered, such as blocking or logging. For example, if you select a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings. Detections do not have to be unique.
 
-## Confidence levels
+### Optical Character Recognition (OCR)
 
-Confidence levels indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection.
+Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload.
 
-Confidence level is set on the DLP profile. When you select a confidence level in Zero Trust, you will see which DLP entries will be affected by the confidence level. Entries that do not reflect a confidence level in Zero Trust are not yet supported or are not applicable.
+OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters.
 
-DLP confidence detections consist of Low, Medium, and High confidence levels. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy.
+### AI context analysis <Badge text="Beta" variant="caution" size="small" /> {/* ai-context-analysis */}
 
-To change the confidence level of a DLP profile:
+:::note
+AI context analysis only supports Gateway HTTP and HTTPS traffic.
+:::
 
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**.
-2. Select the profile, then select **Edit**.
-3. In **Advanced settings** > **Confidence Level**, choose a new confidence level from the dropdown menu.
+AI context analysis uses machine learning to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your confidence threshold.
 
-Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections.
+DLP submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in a database bucket for up to six months, along with relevant metadata from the HTTP request including the URL, HTTP method, matching DLP profile, and Gateway request ID.
 
-### Gateway detections
+To use AI context analysis:
 
-For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example:
+1. Turn on **AI context analysis** in a DLP profile.
+2. [Add the profile](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy.
+3. When configuring the DLP policy, turn on [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules).
 
-| Selector    | Operator | Value                       | Action |
-| ----------- | -------- | --------------------------- | ------ |
-| DLP Profile | in       | _Low Confidence Detections_ | Allow  |
+AI context analysis results will appear in the payload section of your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#4-view-dlp-logs). To further train the machine learning model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis).
 
-| Selector    | Operator | Value                        | Action |
-| ----------- | -------- | ---------------------------- | ------ |
-| DLP Profile | in       | _High Confidence Detections_ | Block  |
+### Confidence thresholds
 
-## Optical Character Recognition (OCR) <Badge text="Beta" variant="caution" size="small" /> {/* optical-character-recognition-ocr */}
+Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection.
 
-Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload.
+Confidence threshold is set on the DLP profile. When you select a confidence threshold in Zero Trust, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Zero Trust are not yet supported or are not applicable.
 
-OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters.
+DLP confidence detections consist of Low, Medium, and High confidence thresholds. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy.
 
-## Context analysis <Badge text="Deprecated" variant="caution" size="small" /> {/* context-analysis */}
+To change the confidence threshold of a DLP profile:
 
-:::caution
-Context analysis has been superseded by [confidence levels](#confidence-levels). DLP will migrate users who had context analysis turned on to confidence levels where applicable.
-:::
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**.
+2. Select the profile, then select **Edit**.
+3. In **Settings** > **Confidence threshold**, choose a new confidence threshold from the dropdown menu.
 
-When it was available, context analysis restricted detections based on proximity keywords to prevent false positives. Proximity keywords had to be detected within a distance of 1000 bytes (~1000 characters) from the original detection to trigger an context-aware detection. For example, the string `123-45-6789` only counted as a detection if in proximity to keywords such as `ssn`.
+Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections.
 
-DLP applied context analysis to traffic and the content of [supported files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types). Supported detections included the [Financial Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles.
+#### Gateway detections
 
-### Exclude files from context analysis
+For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example:
 
-You could exclude the content of files from context analysis while still applying context analysis to traffic. For example, if you sent an email containing the string `123-45-6789`, DLP only counted a detection if the string was in proximity to keywords such as `ssn`. If you included a file in an email containing the string `123-45-6789`, DLP matched a detection regardless of keywords.
+| Selector    | Operator | Value                       | Action |
+| ----------- | -------- | --------------------------- | ------ |
+| DLP Profile | in       | _Low Confidence Detections_ | Allow  |
 
-To exclude file content from context analysis, in **Exclude content type**, choose _Files_.
+| Selector    | Operator | Value                        | Action |
+| ----------- | -------- | ---------------------------- | ------ |
+| DLP Profile | in       | _High Confidence Detections_ | Block  |
diff --git a/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx b/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx
@@ -1,35 +1,31 @@
 ---
 {}
-
 ---
 
-import { Details } from "~/components"
+import { Details } from "~/components";
 
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP Profiles**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**.
 
 2. Select **Create profile**.
 
 3. Enter a name and optional description for the profile.
 
 4. Add custom or existing detection entries.
 
-
    <Details header="Add a custom entry">
 
    1. Select **Add custom entry** and give it a name.
 
    2. In **Value**, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, `test\d\d` will detect the word `test` followed by two digits.
 
-      * Regular expressions are written in Rust. We recommend validating your regex with [Rustexp](https://rustexp.lpil.uk/).
-      * DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length.
-      * DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`.
+      - Regular expressions are written in Rust. We recommend validating your regex with [Rustexp](https://rustexp.lpil.uk/).
+      - DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length.
+      - DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`.
 
    3. To save the detection entry, select **Done**.
 
-
    </Details>
 
-
    <Details header="Add existing entries">
 
    Existing entries include [predefined detection entries](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) and [DLP datasets](/cloudflare-one/policies/data-loss-prevention/datasets/).
@@ -38,9 +34,8 @@ import { Details } from "~/components"
    2. Choose which entries you want to add, then select **Confirm**.
    3. To save the detection entry, select **Done**.
 
-
    </Details>
 
-5. (Optional) Configure [**Advanced settings**](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile.
+5. (Optional) Configure [**profile settings**](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile.
 
 6. Select **Save profile**.
diff --git a/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx b/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx
@@ -2,7 +2,7 @@
 {}
 ---
 
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP Profiles**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**.
 2. Choose a [predefined profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Configure**.
 3. Enable one or more **Detection entries** according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries.
 4. Select **Save profile**.
