From ad80333c5186578689e9282a7b87b69836347d11 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 31 Oct 2024 15:58:34 -0500 Subject: [PATCH 1/7] Add initial section --- .../dlp-policies/payload-logging.mdx | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx index 374dd590231f53c..db07c5bb52aeb7b 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx @@ -1,66 +1,66 @@ --- pcx_content_type: how-to -title: Log the payload of matched rules +title: Logging options sidebar: order: 2 --- +## Log the payload of matched rules + Data Loss Prevention allows you to log the data that triggered a specific DLP policy. This data is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 bytes of additional context on both sides of the match. -## 1. Generate a key pair +### 1. Generate a key pair Follow [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/) to generate a public/private key pair in the command line. -## 2. Upload the public key to Cloudflare +### 2. Upload the public key to Cloudflare 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. - 2. In the **DLP Payload Encryption public key** field, paste your public key. - 3. Select **Save**. :::note - The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key. ::: -## 3. Enable payload logging for a DLP policy +### 3. Enable payload logging for a DLP policy You can enable payload logging for any Allow or Block HTTP policy that uses the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector. 1. Go to **Gateway** > **Firewall policies** > **HTTP**. - 2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). - -3. In the policy builder, scroll down to **Configure policy settings** and enable **Log the payload of matched rules**. - +3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**. 4. Select **Save**. Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy. -## 4. View payload logs +### 4. View payload logs 1. Go to **Logs** > **Gateway** > **HTTP**. - 2. Go to the DLP log you are interested in reviewing and expand the row. - 3. Select **Decrypt Payload Log**. - 4. Enter your private key and select **Decrypt**. You will see the [ID of the matched DLP Profile](/api/operations/dlp-profiles-list-all-profiles) followed by the decrypted payload. Note that DLP currently logs only the first match. :::note - Neither the key nor the decrypted payload will be stored by Cloudflare. ::: -## Data privacy +### Data privacy - All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule. - - Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key. - - DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`. - - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/datasets/#exact-data-match). EDM match logs will redact your defined strings. + +## Send HTTP requests to Logpush destination + +1. Set up the ["DLP Forensic Copy" Logpush job](https://developers.cloudflare.com/logs/get-started/). +2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). +3. In the policy builder, scroll down to **Configure policy settings** and turn on **Send copy to storage**. +4. Select **Save**. + +Data Loss Prevention will now send a copy of HTTP requests that match this policy to your Logpush destination. + +Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to all of your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/reference/filters/). From 444177eb4d5b3e54cbf428d1ea93cdcc211859a7 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 31 Oct 2024 16:43:04 -0500 Subject: [PATCH 2/7] Add logpush procedure --- .../dlp-policies/payload-logging.mdx | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx index db07c5bb52aeb7b..1de6df0b9a9f073 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx @@ -56,11 +56,25 @@ Neither the key nor the decrypted payload will be stored by Cloudflare. ## Send HTTP requests to Logpush destination -1. Set up the ["DLP Forensic Copy" Logpush job](https://developers.cloudflare.com/logs/get-started/). -2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). -3. In the policy builder, scroll down to **Configure policy settings** and turn on **Send copy to storage**. -4. Select **Save**. +:::note[Availability] +Only available on Enterprise plans. +::: + +You can use these requests as forensic evidence. + +To set up the DLP Forensic Copy Logpush job: + +1. Create a [DLP Forensic Copy Logpush job](/logs/get-started/) with Cloudflare Logs. +2. Go to **Gateway** > **Firewall policies** > **HTTP**. +3. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). +4. In the policy builder, scroll down to **Configure policy settings** and turn on **Send copy to storage**. +5. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. +6. Select **Save**. Data Loss Prevention will now send a copy of HTTP requests that match this policy to your Logpush destination. -Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to all of your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/reference/filters/). +Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/reference/filters/). + +DLP matched requests above 100 MB will not be sent to storage. + +The entire request will be sent to the customer regardless of the Gateway policy action (allow or block), size permitting. From 37d4e8a3030d292ce6e1d4d0a0c5cd8c5eca3728 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 31 Oct 2024 16:47:24 -0500 Subject: [PATCH 3/7] Add limitations --- .../data-loss-prevention/dlp-policies/payload-logging.mdx | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx index 1de6df0b9a9f073..ccabadbc4a690d3 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx @@ -71,10 +71,6 @@ To set up the DLP Forensic Copy Logpush job: 5. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. 6. Select **Save**. -Data Loss Prevention will now send a copy of HTTP requests that match this policy to your Logpush destination. +DLP will now send a copy of HTTP requests that match this policy to your Logpush destination. -Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/reference/filters/). - -DLP matched requests above 100 MB will not be sent to storage. - -The entire request will be sent to the customer regardless of the Gateway policy action (allow or block), size permitting. +Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](/logs/reference/filters/). If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage. From f5492c5196d4d8170848eb7dbddea7cced9f4ef4 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 31 Oct 2024 16:58:52 -0500 Subject: [PATCH 4/7] Add preamble --- .../data-loss-prevention/dlp-policies/payload-logging.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx index ccabadbc4a690d3..a8cead5803b01d8 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx @@ -60,7 +60,7 @@ Neither the key nor the decrypted payload will be stored by Cloudflare. Only available on Enterprise plans. ::: -You can use these requests as forensic evidence. +Gateway allows you to send copies of entire HTTP requests matched in DLP policies to storage destinations configured in [Logpush](/logs/about/). With the Logpush integration, you can capture, store, and view DLP matches for forensic investigation. To set up the DLP Forensic Copy Logpush job: From 7ff807170e809071ac0d5c3592f77c335249f3b2 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 1 Nov 2024 11:44:25 -0500 Subject: [PATCH 5/7] Improve Logpush job procedure --- .../dlp-policies/payload-logging.mdx | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx index a8cead5803b01d8..85077a214d087de 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx @@ -64,12 +64,13 @@ Gateway allows you to send copies of entire HTTP requests matched in DLP policie To set up the DLP Forensic Copy Logpush job: -1. Create a [DLP Forensic Copy Logpush job](/logs/get-started/) with Cloudflare Logs. -2. Go to **Gateway** > **Firewall policies** > **HTTP**. -3. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). -4. In the policy builder, scroll down to **Configure policy settings** and turn on **Send copy to storage**. -5. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. -6. Select **Save**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Logs** > **Logpush**. Select **Add a Logpush job**. +2. Set up a [Logpush destination](/logs/get-started/enable-destinations/) with the DLP Forensic Copy Logpush job. +3. Return to Zero Trust and go to **Gateway** > **Firewall policies** > **HTTP**. +4. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). +5. In the policy builder, scroll down to **Configure policy settings** and turn on **Send copy to storage**. +6. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. +7. Select **Save**. DLP will now send a copy of HTTP requests that match this policy to your Logpush destination. From a18e0698b8ed1d628da8e590e7df0fe82c667cd9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 1 Nov 2024 12:06:35 -0500 Subject: [PATCH 6/7] Rename page and fix links --- public/_redirects | 1 + .../policies/data-loss-prevention/datasets.mdx | 2 +- .../data-loss-prevention/dlp-policies/index.mdx | 2 +- .../{payload-logging.mdx => logging-options.mdx} | 0 .../policies/data-loss-prevention/index.mdx | 2 +- .../docs/data-localization/how-to/zero-trust.mdx | 13 ++++++------- .../diagrams/security/securing-data-in-transit.mdx | 2 +- 7 files changed, 11 insertions(+), 11 deletions(-) rename src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/{payload-logging.mdx => logging-options.mdx} (100%) diff --git a/public/_redirects b/public/_redirects index 28f1e0c146e77e6..12dbf6b3cc305e0 100644 --- a/public/_redirects +++ b/public/_redirects @@ -298,6 +298,7 @@ # data loss prevention (dlp) /cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 /cloudflare-one/policies/data-loss-prevention/dlp-logs/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/ 301 +/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/policies/data-loss-prevention/datasets/ 301 # ddos-protection diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/datasets.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/datasets.mdx index fbddc7a2c0f8150..af2204b84aa296c 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/datasets.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/datasets.mdx @@ -7,7 +7,7 @@ sidebar: import { Details } from "~/components"; -Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in a custom dataset. Sensitive data can be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/). +Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in a custom dataset. Sensitive data can be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules/). ## DLP dataset types diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx index 79dfe502fef898e..c6d3eb26cb8fceb 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx @@ -62,7 +62,7 @@ Different sites will send requests in different ways. For example, some sites wi - **DLP Profiles** shows the requests which matched a specific DLP profile. - **Policy** shows the requests which matched a specific DLP policy. -You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/). +You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules/). ### Report false positives diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging.mdx rename to src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx index 71730cbbb4213cc..861e55fc93c5d58 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx @@ -10,7 +10,7 @@ import { GlossaryDefinition } from "~/components"; :::note[Availability] Available as an add-on to Zero Trust Enterprise plans. -Users on Zero Trust Free and Pay-as-you-go plans can use the [Financial Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles, [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/), and [false positive reporting](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#report-false-positives). +Users on Zero Trust Free and Pay-as-you-go plans can use the [Financial Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles, [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules/), and [false positive reporting](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#report-false-positives). ::: diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index 5262a952dd14a90..4b94150d7262066 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -3,10 +3,9 @@ title: Zero Trust pcx_content_type: how-to sidebar: order: 1 - --- -import { Render } from "~/components" +import { Render } from "~/components"; In the following sections, we will give you some details about how different Zero Trust products can be used with the Data Localization Suite. @@ -28,9 +27,9 @@ As part of Regional Services, Cloudflare Gateway will only perform [TLS decrypti #### Data Loss Prevention (DLP) -You are able to [log the payload of matched DLP rules](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and encrypt them with your public key so that only you can examine them later. +You are able to [log the payload of matched DLP rules](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules/) and encrypt them with your public key so that only you can examine them later. -[Cloudflare cannot decrypt encrypted payloads](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/#data-privacy). +[Cloudflare cannot decrypt encrypted payloads](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#data-privacy). ### Network policies @@ -52,8 +51,8 @@ By default, Cloudflare will store and deliver logs from data centers across our Customers also have the option to reduce the logs that Cloudflare stores: -* You can [exclude PII from logs](/cloudflare-one/insights/logs/gateway-logs/manage-pii/) -* You can [disable logging, or only log blocked requests](/cloudflare-one/insights/logs/gateway-logs/#selective-logging). +- You can [exclude PII from logs](/cloudflare-one/insights/logs/gateway-logs/manage-pii/) +- You can [disable logging, or only log blocked requests](/cloudflare-one/insights/logs/gateway-logs/#selective-logging). ## Access @@ -75,5 +74,5 @@ You can use the WARP setting [Local Domain Fallback](/cloudflare-one/connections :::caution -Gateway policies will not apply for excluded traffic. +Gateway policies will not apply for excluded traffic. ::: diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index 83b0160f94deb39..0960d824a4ce3e1 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -59,7 +59,7 @@ The following diagram shows a common flow for how Cloudflare inspects a request 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/connections/connect-devices/warp/download-warp/)). [Clientless](/cloudflare-one/connections/connect-devices/agentless/) options are supported as well. 2. Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The SWG policy is configured with a ['block' action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. +4. The SWG policy is configured with a ['block' action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules/) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. ## Related resources From 1a9338a72885ea72a8630cfd1c1dd981b353a5b0 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 1 Nov 2024 12:41:08 -0500 Subject: [PATCH 7/7] Add preamble --- .../policies/data-loss-prevention/dlp-policies/index.mdx | 2 +- .../data-loss-prevention/dlp-policies/logging-options.mdx | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx index c6d3eb26cb8fceb..15114a2022c5221 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx @@ -62,7 +62,7 @@ Different sites will send requests in different ways. For example, some sites wi - **DLP Profiles** shows the requests which matched a specific DLP profile. - **Policy** shows the requests which matched a specific DLP policy. -You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules/). +You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure logging options](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/). ### Report false positives diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx index 85077a214d087de..ed1febe1dfd1e4a 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx @@ -5,9 +5,11 @@ sidebar: order: 2 --- +Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can [log the payload](#log-the-payload-of-matched-policies) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations. + ## Log the payload of matched rules -Data Loss Prevention allows you to log the data that triggered a specific DLP policy. This data is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 bytes of additional context on both sides of the match. +The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 bytes of additional context on both sides of the match. ### 1. Generate a key pair @@ -60,7 +62,7 @@ Neither the key nor the decrypted payload will be stored by Cloudflare. Only available on Enterprise plans. ::: -Gateway allows you to send copies of entire HTTP requests matched in DLP policies to storage destinations configured in [Logpush](/logs/about/). With the Logpush integration, you can capture, store, and view DLP matches for forensic investigation. +Gateway allows you to send copies of entire HTTP requests matched in DLP policies to storage destinations configured in [Logpush](/logs/about/), including third-party destinations. To set up the DLP Forensic Copy Logpush job: