You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
+32-9Lines changed: 32 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,17 +5,19 @@ sidebar:
5
5
order: 2
6
6
---
7
7
8
-
Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can [log the payload](#log-the-payload-of-matched-rules) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
9
-
10
-
## Log the payload of matched rules
8
+
Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
11
9
12
10
The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.
13
11
14
-
### 1. Generate a key pair
12
+
## Set a DLP payload encryption public key
13
+
14
+
Before you begin logging DLP payloads, you will need to set a DLP payload encryption public key.
15
15
16
-
Follow [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/) to generate a public/private key pair in the command line.
16
+
### Generate a key pair
17
17
18
-
### 2. Upload the public key to Cloudflare
18
+
To generate a public/private key pair in the command line, refer to [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/).
19
+
20
+
### Upload the public key to Cloudflare
19
21
20
22
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
21
23
2. In the **DLP Payload Encryption public key** field, paste your public key.
The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key.
26
28
:::
27
29
28
-
### 3. Enable payload logging for a DLP policy
30
+
##Log the payload of matched rules
29
31
30
-
You can enable payload logging for any Allow or Block HTTP policy that uses the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
32
+
DLP can log the payload of matched HTTP requests in your Cloudflare logs.
33
+
34
+
### Turn on payload logging for a DLP policy
35
+
36
+
You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
31
37
32
38
1. Go to **Gateway** > **Firewall policies** > **HTTP**.
33
39
2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
@@ -36,7 +42,9 @@ You can enable payload logging for any Allow or Block HTTP policy that uses the
36
42
37
43
Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.
38
44
39
-
### 4. View payload logs
45
+
### View payload logs
46
+
47
+
To view DLP payload logs:
40
48
41
49
1. Go to **Logs** > **Gateway** > **HTTP**.
42
50
2. Go to the DLP log you are interested in reviewing and expand the row.
@@ -69,6 +77,21 @@ Based on your report, DLP's machine learning will adjust its confidence in futur
69
77
- DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`.
70
78
- You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings.
71
79
80
+
## Log generative AI prompt content
81
+
82
+
DLP can detect and log the prompt topic sent to an AI tool.
83
+
84
+
### Turn on AI prompt content logging for a DLP policy
85
+
86
+
You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/policies/gateway/http-policies/#application) selector with a supported [Cloud App Control](/cloudflare-one/policies/gateway/http-policies/#cloud-app-control) application.
87
+
88
+
1. Go to **Gateway** > **Firewall policies** > **HTTP**.
89
+
2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
90
+
3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
91
+
4. Select **Save**.
92
+
93
+
Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.
94
+
72
95
## Send DLP forensic copies to Logpush destination
0 commit comments