[DLP] Fingerprinting (#23614)

* Initial commit

* Add upload section

* Add management section

* Change document path

* Update procedure

* Apply suggestions

* Fix broken links

Author: maxvp

public/__redirects

@@ -2185,6 +2185,7 @@
 /cloudflare-one/policies/browser-isolation/agentless/* /cloudflare-one/policies/browser-isolation/setup/:splat 301
 /cloudflare-one/policies/filtering/http-policies/data-loss-prevention/* /cloudflare-one/policies/data-loss-prevention/ 301
 /cloudflare-one/policies/data-loss-prevention/configuration-guides/* /cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies/ 301
+/cloudflare-one/policies/data-loss-prevention/datasets/* /cloudflare-one/policies/data-loss-prevention/detection-entries/:splat 301
 
 # Learning paths
 

src/content/changelog/dlp/2025-05-12-case-sensitive-cwl.mdx

@@ -4,6 +4,6 @@ description: Custom Word Lists can now be configured to enforce case sensitivity
 date: 2025-05-12
 ---
 
-You can now configure [custom word lists](/cloudflare-one/policies/data-loss-prevention/datasets/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.
+You can now configure [custom word lists](/cloudflare-one/policies/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.
 
 ![dlp](~/assets/images/changelog/dlp/case-sesitive-cwl.png)

src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx

@@ -19,7 +19,7 @@ You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/dat
 
 ## Configure a DLP profile
 
-You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, and DLP datasets.
+You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints.
 
 ### Configure a predefined profile
 

src/content/docs/cloudflare-one/changelog/dlp.mdx

@@ -35,7 +35,7 @@ In addition to [logging the payload](/cloudflare-one/policies/data-loss-preventi
 
 **Exact Data Match multi-entry upload support**
 
-You can now upload files with [multiple columns of data](/cloudflare-one/policies/data-loss-prevention/datasets/#upload-a-new-dataset) as Exact Data Match datasets. DLP can use each column as a separate existing detection entry.
+You can now upload files with [multiple columns of data](/cloudflare-one/policies/data-loss-prevention/detection-entries/#upload-a-new-dataset) as Exact Data Match datasets. DLP can use each column as a separate existing detection entry.
 
 ## 2024-05-23
 

src/content/docs/cloudflare-one/policies/data-loss-prevention/datasets.mdx

@@ -0,0 +1,134 @@
+---
+pcx_content_type: concept
+title: Detection entries
+sidebar:
+  order: 4
+---
+
+import { Details } from "~/components";
+
+Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data and [document entries](#documents) with example fingerprints.
+
+You can configure sensitive data to be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules).
+
+## Datasets
+
+You can create and upload custom datasets to scan for specific matching data.
+
+### Dataset types
+
+#### Exact Data Match
+
+Exact Data Match (EDM) protects sensitive information, such as names, addresses, phone numbers, and credit card numbers.
+
+All data in uploaded EDM datasets is encrypted before reaching Cloudflare. To detect matches, Cloudflare hashes traffic and compares it to hashes from your dataset. Matched data will be redacted in payload logs.
+
+#### Custom Wordlist
+
+Custom Wordlist (CWL) protects non-sensitive data, such as intellectual property and SKU numbers. Optionally, CWL can detect case-sensitive data.
+
+Cloudflare stores data from CWL datasets within DLP. Plaintext matches appear in payload logs.
+
+### Prepare DLP datasets
+
+#### Formatting
+
+To prepare a dataset for DLP, add your desired data to a single-column spreadsheet. Each line must be at least six characters long. Entries do not require trailing or final commas.
+
+For compatibility, save your file in either `.csv` or `.txt` format with LF (`\n`) newline characters. DLP does not support CRLF (`\r\n`) newline characters. For information on dataset limits, refer to [Account limits](/cloudflare-one/account-limits/#data-loss-prevention-dlp).
+
+#### Column title cells
+
+Column title cells may result in false positives in Custom Wordlist datasets and should be removed.
+
+DLP will detect and use title cells as column names for Exact Data Match datasets. If multiple columns have the same name, DLP will append a number sign (`#`) and number to their names.
+
+:::caution[Update EDM datasets]
+To select which Exact Data Match columns to use, you will need to [reupload any EDM datasets](#manage-existing-datasets) added prior to column support.
+:::
+
+### Upload a new dataset
+
+<Details header="Upload an Exact Data Match dataset">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **Detection entries**.
+2. Go to **Datasets**.
+3. Select **Add a dataset**. In **Exact Data Match (EDM)**, choose **Select**.
+4. Upload your dataset file. Select **Next**.
+5. Review and choose the detected columns you want to include. Select **Next**.
+6. Name your dataset. Optionally, add a description. Select **Next**.
+7. Review the details for your uploaded dataset. Select **Save dataset**.
+
+DLP will encrypt your dataset and save its hash.
+
+</Details>
+
+<Details header="Upload a Custom Wordlist dataset">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **Detection entries**.
+2. Go to **Datasets**.
+3. Select **Add a dataset**. In **Custom Wordlist (CWL)**, choose **Select**.
+4. Name your dataset. Optionally, add a description.
+5. (Optional) In **Settings**, turn on **Enforce case sensitivity** to require matched values to contain exact capitalization.
+6. In **Upload file**, choose your dataset file.
+7. Select **Save**.
+
+DLP will save your dataset in cleartext.
+
+</Details>
+
+The dataset will appear in the list with an **Uploading** status. Once the upload is complete, the status will change to **Complete**. To use your uploaded dataset, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile).
+
+### Manage existing datasets
+
+Uploaded DLP datasets are read-only. To update a dataset, you must upload a new file to replace the original.
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP datasets**.
+2. Select the dataset you want to update.
+3. Select **Upload dataset** and choose your updated dataset. Select **Next**.
+4. If your select dataset is an Exact Data Match dataset, review and choose the new columns. Select **Next**.
+5. Select **Save dataset**.
+
+Your new dataset will replace the original dataset.
+
+:::caution[Remove existing column entries]
+If you want to update an Exact Data Match dataset to remove a column in use as an [existing detection entry](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile), you must remove the existing entry from any custom DLP profiles using it before updating the dataset.
+:::
+
+## Documents
+
+You can upload example documents to scan for unstructured data or specific document types common to your organization. DLP will create a unique fingerprint of the document and detect patterns in your organization's traffic based on how similar it is to the original fingerprint.
+
+DLP stores uploaded documents encrypted at rest in a [Cloudflare R2](/r2/) bucket. To upload sensitive data that is only stored in memory, use [Exact Data Match](#exact-data-match).
+
+### Prepare document entries
+
+DLP supports documents in `.docx` and `.txt` format. Documents must be under 10 MB.
+
+### Upload a new document entry
+
+To upload a new document entry to DLP:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **Detection entries**.
+2. Go to **Documents**.
+3. Select **Add a document entry**.
+4. Name your document. Optionally, add a description.
+5. In **Minimum similarity for matches**, enter a value between 0% and 100%.
+6. In **Upload document**, choose and upload your document file.
+7. Select **Save**.
+
+The document will appear in the list with a **Pending** status. Once the upload is complete, the status will change to **Complete**. If you created a document entry with Terraform, the status will be **No file** until you upload a file.
+
+To use your uploaded document fingerprint, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile).
+
+### Manage existing document entries
+
+Uploaded document entries are read-only. To update a document entry, you must upload a new file to replace the original.
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **Detection entries**.
+2. Choose the document you want to update and select **Edit**.
+3. (Optional) Update the name and minimum similarity for matches for your document entry. You can also open the existing uploaded document.
+4. In **Update document entry**, choose and upload your updated document file.
+5. Select **Save**.
+
+Your new document entry will replace the original document entry. If your file upload fails, DLP will still use the original document fingerprint to scan traffic until you delete the entry.

src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx

@@ -67,7 +67,7 @@ Based on your report, DLP's machine learning will adjust its confidence in futur
 - All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
 - Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.
 - DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`.
-  - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/datasets/#exact-data-match). EDM match logs will redact your defined strings.
+  - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings.
 
 ## Send DLP forensic copies to Logpush destination
 

src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx

@@ -8,7 +8,7 @@ sidebar:
 
 import { Render } from "~/components";
 
-A DLP profile is a collection of detection entries (regular expressions and [DLP datasets](/cloudflare-one/policies/data-loss-prevention/datasets/)) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance.
+A DLP profile is a collection of regular expressions and [detection entries](/cloudflare-one/policies/data-loss-prevention/detection-entries/) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance.
 
 ## Configure a predefined profile