[DLP] Gen AI prompt topics (#24656)

Author: maxvp

src/content/docs/cloudflare-one/applications/app-library.mdx

@@ -46,4 +46,4 @@ The Shadow IT Discovery dashboard will provide more details for discovered appli
 
 The App Library synchronizes application review statuses with approval statuses from the [Shadow IT Discovery SaaS analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) dashboard.
 
-<Render file="app-library-review-apps" />
+<Render file="app-library-review-apps" product="cloudflare-one" />

src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx

@@ -21,7 +21,7 @@ To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP
 
 The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](/cloudflare-one/applications/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard.
 
-<Render file="app-library-review-apps" />
+<Render file="app-library-review-apps" product="cloudflare-one" />
 
 ### 2. Monitor usage
 

src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx

@@ -7,7 +7,7 @@ sidebar:
 
 import { Details } from "~/components";
 
-Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data and [document entries](#documents) with example fingerprints.
+Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data, [document entries](#documents) with example fingerprints, and [AI prompt topics](#ai-prompt-topics).
 
 You can configure sensitive data to be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules).
 
@@ -132,3 +132,20 @@ Uploaded document entries are read-only. To update a document entry, you must up
 5. Select **Save**.
 
 Your new document entry will replace the original document entry. If your file upload fails, DLP will still use the original document fingerprint to scan traffic until you delete the entry.
+
+## AI prompt topics
+
+DLP uses [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) to detect and categorize prompts and responses submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported prompt topic detections include:
+
+| Detection entry                       | Description                                                                                      |
+| ------------------------------------- | ------------------------------------------------------------------------------------------------ |
+| Content: PII                          | Prompt contains personal information such as names, SSNs, or email addresses                     |
+| Content: Credentials and Secrets      | Prompt contains API keys, passwords, or other sensitive credentials                              |
+| Content: Source Code                  | Prompt contains actual source code, code snippets, or proprietary algorithms                     |
+| Content: Customer Data                | Prompt contains customer names, projects, business activities, or confidential customer contexts |
+| Content: Financial Information        | Prompt contains financial numbers or confidential business data                                  |
+| Intent: PII                           | Prompt requests specific personal information about individuals                                  |
+| Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities                      |
+| Intent: Jailbreak                     | Prompt attempts to circumvent AI security policies                                               |
+
+To use an AI prompt topic, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile).

src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx

@@ -5,17 +5,19 @@ sidebar:
   order: 2
 ---
 
-Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can [log the payload](#log-the-payload-of-matched-rules) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
-
-## Log the payload of matched rules
+Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
 
 The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.
 
-### 1. Generate a key pair
+## Set a DLP payload encryption public key
+
+Before you begin logging DLP payloads, you will need to set a DLP payload encryption public key.
 
-Follow [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/) to generate a public/private key pair in the command line.
+### Generate a key pair
 
-### 2. Upload the public key to Cloudflare
+To generate a public/private key pair in the command line, refer to [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/).
+
+### Upload the public key to Cloudflare
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
 2. In the **DLP Payload Encryption public key** field, paste your public key.
@@ -25,9 +27,13 @@ Follow [these instructions](/waf/managed-rules/payload-logging/command-line/gene
 The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key.
 :::
 
-### 3. Enable payload logging for a DLP policy
+## Log the payload of matched rules
 
-You can enable payload logging for any Allow or Block HTTP policy that uses the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
+DLP can log the payload of matched HTTP requests in your Cloudflare logs.
+
+### Turn on payload logging for a DLP policy
+
+You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
 
 1. Go to **Gateway** > **Firewall policies** > **HTTP**.
 2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
@@ -36,7 +42,9 @@ You can enable payload logging for any Allow or Block HTTP policy that uses the
 
 Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.
 
-### 4. View payload logs
+### View payload logs
+
+To view DLP payload logs:
 
 1. Go to **Logs** > **Gateway** > **HTTP**.
 2. Go to the DLP log you are interested in reviewing and expand the row.
@@ -69,6 +77,21 @@ Based on your report, DLP's machine learning will adjust its confidence in futur
 - DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`.
   - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings.
 
+## Log generative AI prompt content
+
+DLP can detect and log the prompt topic sent to an AI tool.
+
+### Turn on AI prompt content logging for a DLP policy
+
+You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/policies/gateway/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) application.
+
+1. Go to **Gateway** > **Firewall policies** > **HTTP**.
+2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
+3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
+4. Select **Save**.
+
+Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.
+
 ## Send DLP forensic copies to Logpush destination
 
 :::note[Availability]