All Credential Types

Detects documents containing credential-related terminology. This pattern is based on a Microsoft Purview built-in sensitive information type. In Purview, this is a broad, function-based bundled detector that aggregates multiple credential SITs. This keyword-based version flags documents that may contain credentials for further review.

Type

regex

Engine

universal

Confidence

low

Confidence justification

Low confidence: broad keyword-based detection that will match credential-related terminology in documentation, code comments, and non-sensitive contexts. Intended as a wide-net classifier. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Verified

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

wide

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)\b(?:password|passwd|pwd|secret[_ ]?key|access[_ ]?key|api[_ ]?key|private[_ ]?key|auth[_ ]?token|client[_ ]?secret|connection[_ ]?string|bearer[_ ]?token|signing[_ ]?key|encryption[_ ]?key|master[_ ]?key|shared[_ ]?access[_ ]?key)\b

Corroborative evidence keywords

password, secret, credential, api key, access key, token, private key, connection string, api_key, apikey, access token, auth token, authorization, bearer, conn str, connectionstring, cookie, database, host, JWT (+37 more)

Proximity: 300 characters

Should match

• password: MyS3cretP@ss — Password assignment
• api_key = AAAA0000BBBB1111CCCC2222 — API key assignment
• Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.AAAA.BBBB — Bearer token in authorization header

Should not match

• The quick brown fox jumps over the lazy dog — No credential-related keywords
• Please reset your username to continue — Contains user-related but not credential keywords
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Security documentation, training materials, and policy documents frequently reference credential terminology without containing actual secrets. Mitigation: Use as a classification signal combined with other detectors rather than as a standalone alert trigger.
• Source code files contain credential-related variable names and function parameters without actual credential values. Mitigation: Pair with pattern-specific detectors for individual credential types to confirm actual credential presence.

References

• All credential types entity definition - Microsoft Learn