From 01f516c687cb5f389af278e4deb54ca611277e6e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 13:17:51 -0500 Subject: [PATCH 01/12] Remove first match note --- .../data-loss-prevention/dlp-policies/logging-options.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx index 710448bb57483b..491749ff4f0909 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx @@ -43,7 +43,7 @@ Data Loss Prevention will now store a portion of the payload for HTTP requests t 3. Select **Decrypt Payload Log**. 4. Enter your private key and select **Decrypt**. -You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload. Note that DLP currently logs only the first match. +You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload. :::note Neither the key nor the decrypted payload will be stored by Cloudflare. From b9a2323df5c5024c1f6b6028bb9d07a85774fb30 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 13:56:06 -0500 Subject: [PATCH 02/12] Rename confidence levels --> confidence thresholds --- public/__redirects | 1 + .../dlp-profiles/advanced-settings.mdx | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/public/__redirects b/public/__redirects index 71f7ee93497a7c..94db1cf98564d9 100644 --- a/public/__redirects +++ b/public/__redirects @@ -350,6 +350,7 @@ /cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 /cloudflare-one/policies/data-loss-prevention/dlp-logs/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/ 301 /cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301 +/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/policies/data-loss-prevention/datasets/ 301 # ddos-protection diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index 6e94e9e5dbd534..f1f23ee9910828 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -13,19 +13,19 @@ This page lists the advanced settings available when configuring a [predefined]( Match count refers to the number of times that any enabled entry in the profile can be detected before an action is triggered, such as blocking or logging. For example, if you select a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings. Detections do not have to be unique. -## Confidence levels +## Confidence thresholds -Confidence levels indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection. +Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection. -Confidence level is set on the DLP profile. When you select a confidence level in Zero Trust, you will see which DLP entries will be affected by the confidence level. Entries that do not reflect a confidence level in Zero Trust are not yet supported or are not applicable. +Confidence threshold is set on the DLP profile. When you select a confidence threshold in Zero Trust, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Zero Trust are not yet supported or are not applicable. -DLP confidence detections consist of Low, Medium, and High confidence levels. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy. +DLP confidence detections consist of Low, Medium, and High confidence thresholds. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy. -To change the confidence level of a DLP profile: +To change the confidence threshold of a DLP profile: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**. 2. Select the profile, then select **Edit**. -3. In **Advanced settings** > **Confidence Level**, choose a new confidence level from the dropdown menu. +3. In **Advanced settings** > **Confidence Threshold**, choose a new confidence threshold from the dropdown menu. Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections. @@ -50,7 +50,7 @@ OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in s ## Context analysis {/* context-analysis */} :::caution -Context analysis has been superseded by [confidence levels](#confidence-levels). DLP will migrate users who had context analysis turned on to confidence levels where applicable. +Context analysis has been superseded by [confidence thresholds](#confidence-thresholds). DLP will migrate users who had context analysis turned on to confidence thresholds where applicable. ::: When it was available, context analysis restricted detections based on proximity keywords to prevent false positives. Proximity keywords had to be detected within a distance of 1000 bytes (~1000 characters) from the original detection to trigger an context-aware detection. For example, the string `123-45-6789` only counted as a detection if in proximity to keywords such as `ssn`. From 5cd7009134630cfeed7f5038717ba07c7402f4a5 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 14:57:38 -0500 Subject: [PATCH 03/12] Remove old context analysis section --- public/__redirects | 1 + .../dlp-profiles/advanced-settings.mdx | 30 +++++-------------- 2 files changed, 9 insertions(+), 22 deletions(-) diff --git a/public/__redirects b/public/__redirects index 94db1cf98564d9..3846d9c4c49083 100644 --- a/public/__redirects +++ b/public/__redirects @@ -351,6 +351,7 @@ /cloudflare-one/policies/data-loss-prevention/dlp-logs/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/ 301 /cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301 /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 +/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/policies/data-loss-prevention/datasets/ 301 # ddos-protection diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index f1f23ee9910828..7786f1d2472cdf 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -13,6 +13,14 @@ This page lists the advanced settings available when configuring a [predefined]( Match count refers to the number of times that any enabled entry in the profile can be detected before an action is triggered, such as blocking or logging. For example, if you select a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings. Detections do not have to be unique. +## Optical Character Recognition (OCR) + +Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload. + +OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters. + +## AI context analysis {/* ai-context-analysis */} + ## Confidence thresholds Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection. @@ -40,25 +48,3 @@ For inline detections in Gateway, to display Low and Medium confidence detection | Selector | Operator | Value | Action | | ----------- | -------- | ---------------------------- | ------ | | DLP Profile | in | _High Confidence Detections_ | Block | - -## Optical Character Recognition (OCR) {/* optical-character-recognition-ocr */} - -Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload. - -OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters. - -## Context analysis {/* context-analysis */} - -:::caution -Context analysis has been superseded by [confidence thresholds](#confidence-thresholds). DLP will migrate users who had context analysis turned on to confidence thresholds where applicable. -::: - -When it was available, context analysis restricted detections based on proximity keywords to prevent false positives. Proximity keywords had to be detected within a distance of 1000 bytes (~1000 characters) from the original detection to trigger an context-aware detection. For example, the string `123-45-6789` only counted as a detection if in proximity to keywords such as `ssn`. - -DLP applied context analysis to traffic and the content of [supported files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types). Supported detections included the [Financial Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles. - -### Exclude files from context analysis - -You could exclude the content of files from context analysis while still applying context analysis to traffic. For example, if you sent an email containing the string `123-45-6789`, DLP only counted a detection if the string was in proximity to keywords such as `ssn`. If you included a file in an email containing the string `123-45-6789`, DLP matched a detection regardless of keywords. - -To exclude file content from context analysis, in **Exclude content type**, choose _Files_. From 9a9d45b78cbe35b5a664e1166128550d0bf16334 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 16:32:32 -0500 Subject: [PATCH 04/12] Add additional context --- .../dlp-profiles/advanced-settings.mdx | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index 7786f1d2472cdf..2b6bc265bd0603 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -21,6 +21,16 @@ OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in s ## AI context analysis {/* ai-context-analysis */} +:::note +AI context analysis only supports Gateway HTTP and HTTPS traffic. +::: + +AI context analysis uses machine learning to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your detection threshold. + +DLP submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in a database bucket for up to six months, along with relevant metadata from the HTTP request including the URL, HTTP method, matching DLP profile, and Gateway request ID. + +To train the model, you need to report true and false positive in your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/). + ## Confidence thresholds Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection. From 8e38590f4974a30e427a47f5f560fd32500c126b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Mar 2025 16:43:12 -0500 Subject: [PATCH 05/12] Add how to report true/false positives --- .../dlp-policies/logging-options.mdx | 15 ++++++++++++++- .../dlp-profiles/advanced-settings.mdx | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx index 491749ff4f0909..9c2b281ff0779a 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx @@ -46,9 +46,22 @@ Data Loss Prevention will now store a portion of the payload for HTTP requests t You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload. :::note -Neither the key nor the decrypted payload will be stored by Cloudflare. +Cloudflare does not store the key or the decrypted payload. ::: +### Report false and true positives to AI context analysis + +When you have [AI context analysis](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can train the AI model to adjust its confident threshold by reporting false and true positives. + +To report a DLP match payload as a false or true positive: + +1. [Find and decrypt](#4-view-payload-logs) the payload log you want to report. +2. In **Log details**, choose a detected context match. +3. In **Context**, select the redacted match data. +4. In **Match details**, choose whether you want to report the match as a false positive or a true positive. + +Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile. + ### Data privacy - All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule. diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index 2b6bc265bd0603..3a10218e583fdf 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -29,7 +29,7 @@ AI context analysis uses machine learning to analyze and adjust the confidence i DLP submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in a database bucket for up to six months, along with relevant metadata from the HTTP request including the URL, HTTP method, matching DLP profile, and Gateway request ID. -To train the model, you need to report true and false positive in your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/). +To train the model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-true-and-false-positive-to-ai-context-analysis) in your DLP payload logs. ## Confidence thresholds From 93177a1d36c10467c25faf844a3e1bd01e2e36db Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 24 Mar 2025 11:24:05 -0500 Subject: [PATCH 06/12] Fix broken links in changelog --- src/content/release-notes/dlp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/release-notes/dlp.yaml b/src/content/release-notes/dlp.yaml index 5c227bb3c75617..e35252ea2e2480 100644 --- a/src/content/release-notes/dlp.yaml +++ b/src/content/release-notes/dlp.yaml @@ -16,7 +16,7 @@ entries: - publish_date: "2024-11-25" title: Profile confidence levels description: |- - DLP profiles now support setting a [confidence level](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede [context analysis](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis). + DLP profiles now support setting a [confidence level](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede context analysis. - publish_date: "2024-11-01" title: Send entire HTTP requests to a Logpush destination description: |- From 7998cdcfc273aa4ceb9cc8caf4b76a934fb1a5ed Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 24 Mar 2025 14:22:13 -0500 Subject: [PATCH 07/12] Discard changes to src/content/release-notes/dlp.yaml --- src/content/release-notes/dlp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/release-notes/dlp.yaml b/src/content/release-notes/dlp.yaml index e35252ea2e2480..5c227bb3c75617 100644 --- a/src/content/release-notes/dlp.yaml +++ b/src/content/release-notes/dlp.yaml @@ -16,7 +16,7 @@ entries: - publish_date: "2024-11-25" title: Profile confidence levels description: |- - DLP profiles now support setting a [confidence level](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede context analysis. + DLP profiles now support setting a [confidence level](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede [context analysis](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis). - publish_date: "2024-11-01" title: Send entire HTTP requests to a Logpush destination description: |- From 955e7fdd61ce3a76d70a88797a61808545fdb46e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 24 Mar 2025 15:06:58 -0500 Subject: [PATCH 08/12] Remove redirects --- public/__redirects | 2 -- 1 file changed, 2 deletions(-) diff --git a/public/__redirects b/public/__redirects index 4d34aba324dc70..898b7819f75eae 100644 --- a/public/__redirects +++ b/public/__redirects @@ -335,8 +335,6 @@ # data loss prevention (dlp) /cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 /cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301 -/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 -/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/policies/data-loss-prevention/datasets/ 301 # ddos-protection From 3c223e76f1776c9d0ed8fc49387173bd6a7da6bc Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 24 Mar 2025 17:13:41 -0500 Subject: [PATCH 09/12] Add procedure for editing profile settings --- .../dlp-profiles/advanced-settings.mdx | 31 ++++++++++++++----- .../data-loss-prevention/custom-profile.mdx | 17 ++++------ .../predefined-profile.mdx | 2 +- 3 files changed, 30 insertions(+), 20 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index 3a10218e583fdf..a65b1afc838e7a 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -7,31 +7,46 @@ sidebar: import { Badge } from "~/components"; -This page lists the advanced settings available when configuring a [predefined](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. +This page lists the profile settings available when configuring a [predefined](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. You can configure profile settings when you create a custom profile or [edit profile settings](#edit-profile-settings) for an existing predefined or custom profile. -## Match count +## Edit profile settings + +To edit profile settings for an existing predefined or custom DLP profile: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**. +2. Choose a profile, then select **Edit**. +3. In **Settings**, configure the [settings](#available-settings) for your profile. +4. Select **Save profile**. + +## Available settings + +The following settings are available for predefined and custom DLP profiles. + +### Match count Match count refers to the number of times that any enabled entry in the profile can be detected before an action is triggered, such as blocking or logging. For example, if you select a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings. Detections do not have to be unique. -## Optical Character Recognition (OCR) +### Optical Character Recognition (OCR) Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload. OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters. -## AI context analysis {/* ai-context-analysis */} +### AI context analysis {/* ai-context-analysis */} + +{/* TODO: set up redirects for this section based on live docs */} :::note AI context analysis only supports Gateway HTTP and HTTPS traffic. ::: -AI context analysis uses machine learning to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your detection threshold. +AI context analysis uses machine learning to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your confidence threshold. DLP submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in a database bucket for up to six months, along with relevant metadata from the HTTP request including the URL, HTTP method, matching DLP profile, and Gateway request ID. To train the model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-true-and-false-positive-to-ai-context-analysis) in your DLP payload logs. -## Confidence thresholds +### Confidence thresholds Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection. @@ -43,11 +58,11 @@ To change the confidence threshold of a DLP profile: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**. 2. Select the profile, then select **Edit**. -3. In **Advanced settings** > **Confidence Threshold**, choose a new confidence threshold from the dropdown menu. +3. In **Settings** > **Confidence threshold**, choose a new confidence threshold from the dropdown menu. Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections. -### Gateway detections +#### Gateway detections For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example: diff --git a/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx b/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx index 03caaf926a9adc..8015bfd0783b8c 100644 --- a/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx +++ b/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx @@ -1,11 +1,10 @@ --- {} - --- -import { Details } from "~/components" +import { Details } from "~/components"; -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP Profiles**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**. 2. Select **Create profile**. @@ -13,23 +12,20 @@ import { Details } from "~/components" 4. Add custom or existing detection entries. -
1. Select **Add custom entry** and give it a name. 2. In **Value**, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, `test\d\d` will detect the word `test` followed by two digits. - * Regular expressions are written in Rust. We recommend validating your regex with [Rustexp](https://rustexp.lpil.uk/). - * DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length. - * DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`. + - Regular expressions are written in Rust. We recommend validating your regex with [Rustexp](https://rustexp.lpil.uk/). + - DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length. + - DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`. 3. To save the detection entry, select **Done**. -
-
Existing entries include [predefined detection entries](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) and [DLP datasets](/cloudflare-one/policies/data-loss-prevention/datasets/). @@ -38,9 +34,8 @@ import { Details } from "~/components" 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. -
-5. (Optional) Configure [**Advanced settings**](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. +5. (Optional) Configure [**profile settings**](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 6. Select **Save profile**. diff --git a/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx b/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx index 850bc2eb764325..0e002b3b61d7d1 100644 --- a/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx +++ b/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx @@ -2,7 +2,7 @@ {} --- -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP Profiles**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DLP** > **DLP profiles**. 2. Choose a [predefined profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Configure**. 3. Enable one or more **Detection entries** according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries. 4. Select **Save profile**. From cd54453879188102a631ebdf8a9a322119437fba Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Mar 2025 15:05:42 -0500 Subject: [PATCH 10/12] Add procedure for setting up AI --- .../dlp-profiles/advanced-settings.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index a65b1afc838e7a..79cf5a072dacdc 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -44,7 +44,13 @@ AI context analysis uses machine learning to analyze and adjust the confidence i DLP submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in a database bucket for up to six months, along with relevant metadata from the HTTP request including the URL, HTTP method, matching DLP profile, and Gateway request ID. -To train the model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-true-and-false-positive-to-ai-context-analysis) in your DLP payload logs. +To use AI context analysis: + +1. Turn on **AI context analysis** in a DLP profile. +2. [Add the profile](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy. +3. When configuring the DLP policy, turn on [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). + +AI context analysis results will appear in your DLP payload logs. To further train the machine learning model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). ### Confidence thresholds From bcb1d6a613a3b84370c3839d39464a1bb0c60ab6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Mar 2025 15:46:49 -0500 Subject: [PATCH 11/12] Add confidence levels redirect --- public/__redirects | 3 ++- .../data-loss-prevention/dlp-profiles/advanced-settings.mdx | 6 ++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/public/__redirects b/public/__redirects index 898b7819f75eae..71a1bba444da30 100644 --- a/public/__redirects +++ b/public/__redirects @@ -333,9 +333,10 @@ # data loss prevention (dlp) -/cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 +/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 /cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/policies/data-loss-prevention/datasets/ 301 +/cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 # ddos-protection /ddos-protection/managed-rulesets/http/location-aware-protection/ /ddos-protection/managed-rulesets/adaptive-protection/ 301 diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx index 79cf5a072dacdc..30bf08b17cae05 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -20,7 +20,7 @@ To edit profile settings for an existing predefined or custom DLP profile: ## Available settings -The following settings are available for predefined and custom DLP profiles. +The following advanced detection settings are available for predefined and custom DLP profiles. ### Match count @@ -34,8 +34,6 @@ OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in s ### AI context analysis {/* ai-context-analysis */} -{/* TODO: set up redirects for this section based on live docs */} - :::note AI context analysis only supports Gateway HTTP and HTTPS traffic. ::: @@ -50,7 +48,7 @@ To use AI context analysis: 2. [Add the profile](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy. 3. When configuring the DLP policy, turn on [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). -AI context analysis results will appear in your DLP payload logs. To further train the machine learning model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). +AI context analysis results will appear in the payload section of your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#4-view-dlp-logs). To further train the machine learning model, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). ### Confidence thresholds From df099eb2b5b7354949ea10e3da02ee0529afbf8b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Mar 2025 15:59:12 -0500 Subject: [PATCH 12/12] Discard changes to public/__redirects --- public/__redirects | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/public/__redirects b/public/__redirects index 71a1bba444da30..898b7819f75eae 100644 --- a/public/__redirects +++ b/public/__redirects @@ -333,10 +333,9 @@ # data loss prevention (dlp) -/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels /cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds 301 +/cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 /cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/ /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/policies/data-loss-prevention/datasets/ 301 -/cloudflare-one/policies/data-loss-prevention/integration-profiles/ /cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/ 301 # ddos-protection /ddos-protection/managed-rulesets/http/location-aware-protection/ /ddos-protection/managed-rulesets/adaptive-protection/ 301