SIT Recipe Library

The built-in General Password and User Login Credentials SITs match key-value shapes like password=X in code, config, and logs. A spreadsheet with a username column and a password column never matches that shape, because the extracted text puts the headers in one row and the values in others. This recipe flags the file by its headers instead.

• -Keyword lists are word matches, so "password" does not match inside "passwords". The list carries both forms.
• -Headers appear once per file, so keep any DLP rule on this SIT at a low instance count. Instance counts also dedupe by value: the same word twice counts once.
• -Keep using the built-in credential SITs for code and config. This recipe only covers the file shape they miss.

Database connection strings with a plain-text Password= parameter, sitting in runbooks, wiki exports, and handover docs. The built-in credential SITs cover the big cloud formats but cannot be tuned; this catches generic on-prem strings and is fully yours to adjust.

• -The pattern needs the server and password parts in the same string, which keeps it quiet on prose that merely mentions servers and passwords.
• -Add "Exclude specific matches" entries for known placeholder values like Password=changeme in your template docs.
• -Works on text the way Purview sees it after extraction, so it catches strings pasted into Word and OneNote too.

Microsoft's credential pack covers the big vendors. Your internal gateway tokens, service keys, and signing secrets follow whatever format your platform team picked, and only a custom SIT will find them. Adapt the prefix and length to your format.

• -Change the tok_, key_, svc_ prefixes to whatever your tokens actually start with. The fixed prefix is what keeps false positives near zero.
• -The bare format sits at medium; the high pattern wants a nearby keyword like "api key" or "secret". Route blocking rules at high and monitoring at medium.
• -If your tokens have no prefix at all, expect noise: a bare 32-character alphanumeric regex matches GUIDs, hashes, and file names. Add context keywords before trusting it.

Law firms and in-house legal teams reference privileged work by matter number. Tracking where those references travel is the first step to protecting privileged material with DLP or auto-labeling.

• -Swap MAT and CASE for your practice management prefixes and match the digit grouping to your numbering scheme.
• -The high pattern wants legal context nearby, which keeps invoices that merely quote a reference at medium.
• -Pair with a service-side auto-labeling policy to label privileged documents at rest, not just block them in motion.

Eight digits is a noisy shape: dates, order IDs, and phone fragments all collide with it. This recipe shows how additional checks rescue a weak format: constrain the leading digit, reject repeated-digit strings, and require account context for high confidence.

• -Set "Starts with" to the ranges your account numbers actually use. Every excluded leading digit removes a slice of false positives.
• -Exclude duplicate characters kills 11111111-style test data, which is the most common false positive in real tenants.
• -If your account numbers carry a check digit, validate the format in the portal with the checksum validator. The Builder flags where checks like these belong.

Board packs leak through ordinary sharing, not hacking. A keyword-primary SIT that recognises the standing vocabulary of board material gives DLP and auto-labeling something to anchor on without any regex at all.

• -Replace the keyword list with the headings your own board template actually uses. The narrower the vocabulary, the cleaner the matches.
• -Keywords are the primary element here, so one phrase anywhere in a document is a match at medium. That is deliberately broad: route it to monitoring, not blocking.
• -For enforcement, prefer labeling the board pack template itself, or document fingerprinting if the format is stable. This SIT is the detection net underneath.