[WAF] Add sensitive data detection API example

Author: pedrosousa

src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx

@@ -42,9 +42,117 @@ For details on configuring a managed ruleset in the dashboard, refer to [Configu
 
 ## Configure via API
 
-To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the entry point ruleset for the `http_response_firewall_managed` phase. For more information on deploying a managed ruleset, refer to [Deploy a managed ruleset](/ruleset-engine/managed-rulesets/deploy-managed-ruleset/).
-
-The ruleset ID is the following: <RuleID id="e22d83c647c64a3eae91b71b499d988e" />.
+To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the entry point ruleset for the `http_response_firewall_managed` phase.
+
+### Example
+
+This example deploys the Cloudflare Sensitive Data Detection managed ruleset to the `http_response_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.
+
+1.  Search for an existing [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_response_firewall_managed` phase using the [List zone rulesets](/api/operations/listZoneRulesets) operation and take note of the ruleset ID. This ruleset, if it exists, has the following properties: `"kind": "zone"` and `"phase": "http_response_firewall_managed"`.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
+    --header "Authorization: Bearer <API_TOKEN>"
+    ```
+
+    ```json output {5,9,12}
+    {
+    	"result": [
+    		// ...
+    		{
+    			"id": "<RULESET_ID>",
+    			"name": "default",
+    			"description": "",
+    			"source": "firewall_managed",
+    			"kind": "zone",
+    			"version": "5",
+    			"last_updated": "2024-07-22T16:04:19.788697Z",
+    			"phase": "http_response_firewall_managed"
+    		}
+    		// ...
+    	],
+    	"success": true,
+    	"errors": [],
+    	"messages": []
+    }
+    ```
+
+2.  If the entry point ruleset does not exist (the previous command returned a `404 Not Found` status code), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID <RuleID id="e22d83c647c64a3eae91b71b499d988e" />) for all incoming requests in the zone.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
+    --header "Authorization: Bearer <API_TOKEN>" \
+    --header "Content-Type: application/json" \
+    --data '{
+      "name": "My ruleset",
+      "description": "Entry point ruleset for WAF managed rulesets (response)",
+      "kind": "zone",
+      "phase": "http_response_firewall_managed",
+      "rules": [
+        {
+    			"action": "execute",
+    			"action_parameters": {
+    				"id": "e22d83c647c64a3eae91b71b499d988e"
+    			},
+    			"expression": "true",
+    			"description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
+    		}
+      ]
+    }'
+    ```
+
+    If the entry point ruleset already exists, add a rule to this ruleset (with ID `{ruleset_id}`) using the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation. This rule executes the Cloudflare Sensitive Data Detection managed ruleset (with ID <RuleID id="e22d83c647c64a3eae91b71b499d988e" />) for all incoming requests in the zone.
+
+    ```bash
+    curl --request PUT \
+    "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \
+    --header "Authorization: Bearer <API_TOKEN>" \
+    --header "Content-Type: application/json" \
+    --data '{
+    	"action": "execute",
+    	"action_parameters": {
+    		"id": "e22d83c647c64a3eae91b71b499d988e"
+    	},
+    	"expression": "true",
+    	"description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
+    }'
+    ```
+
+    ```json output
+    {
+    	"result": {
+    		"id": "<RULESET_ID>",
+    		"name": "Zone-level phase entry point",
+    		"description": "",
+    		"kind": "zone",
+    		"version": "3",
+    		"rules": [
+    			// ... any existing rules
+    			{
+    				"id": "<RULE_ID>",
+    				"version": "1",
+    				"action": "execute",
+    				"action_parameters": {
+    					"id": "e22d83c647c64a3eae91b71b499d988e",
+    					"version": "latest"
+    				},
+    				"expression": "true",
+    				"description": "Execute the Cloudflare Sensitive Data Detection managed ruleset",
+    				"last_updated": "2024-03-18T18:08:14.003361Z",
+    				"ref": "<RULE_REF>",
+    				"enabled": true
+    			}
+    		],
+    		"last_updated": "2024-03-18T18:08:14.003361Z",
+    		"phase": "http_response_firewall_managed"
+    	},
+    	"success": true,
+    	"errors": [],
+    	"messages": []
+    }
+    ```
+
+### Next steps
 
 To configure Cloudflare Sensitive Data Detection using the API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations:
 
@@ -53,6 +161,10 @@ To configure Cloudflare Sensitive Data Detection using the API, create [override
 
 For examples of creating overrides using the API, refer to [Override a managed ruleset](/ruleset-engine/managed-rulesets/override-managed-ruleset/).
 
+### More resources
+
+For more information on working with managed rulesets via API, refer to [Work with managed rulesets](/ruleset-engine/managed-rulesets/) in the Ruleset Engine documentation.
+
 ## Review detected leaks
 
 To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following: