Azure Cognitive Service Key

Detects Azure Cognitive Services subscription key patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: structurally constrained 32-character hexadecimal pattern with Cognitive Services context keywords reduces false positive rates significantly. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Partial

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

specific

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)(?:Ocp-Apim-Subscription-Key|cognitive[._-]?key|subscription[._-]?key)\s*[:=]\s*"?[0-9A-Fa-f]{32}"?

Corroborative evidence keywords

Cognitive Services, cognitive service, Ocp-Apim-Subscription-Key, subscription key, Computer Vision, Text Analytics, Speech, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential (+44 more)

Proximity: 300 characters

Should match

• Ocp-Apim-Subscription-Key=AAAA0000BBBB1111CCCC2222DDDD3333 — Cognitive Services subscription key
• cognitive_key: "0123456789abcdef0123456789abcdef" — Cognitive key in lowercase hex
• subscription_key="00000000000000000000000000000000" — Subscription key with placeholder value

Should not match

• Ocp-Apim-Subscription-Key=tooshort — Too short to be a valid key
• cognitiveServiceEndpoint=https://myservice.cognitiveservices.azure.com — Endpoint URL, not a key
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Cognitive Services quickstart guides and SDK documentation with example keys. Mitigation: Check for common placeholder values and documentation file types.
• API Management subscription keys for non-cognitive services. Mitigation: Use Cognitive Services specific corroborative keywords for differentiation.

References

• Azure Cognitive Service key entity definition - Microsoft Learn