[WAF] Add exposed credentials check migration guide

Author: pedrosousa

src/content/docs/waf/detections/leaked-credentials/get-started.mdx

@@ -8,31 +8,11 @@ head:
     content: Get started with leaked credentials detection
 ---
 
-import { TabItem, Tabs, Details } from "~/components";
+import { Render, TabItem, Tabs, Details } from "~/components";
 
 ## 1. Turn on leaked credentials detection
 
-On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API.
-
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
-2. Go to **Security** > **Settings**.
-3. Under **Incoming traffic detections**, turn on **Leaked credentials**.
-
-</TabItem> <TabItem label="API">
-
-Enable the feature using a `POST` request similar to the following:
-
-```bash
-curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
---header "Content-Type: application/json" \
---data '{ "enabled": true }'
-```
-
-</TabItem> </Tabs>
+<Render file="leaked-credentials-detection-enable" />
 
 :::note
 To achieve optimal latency performance, Cloudflare recommends that you turn off [Exposed Credentials Checks](/waf/managed-rules/reference/exposed-credentials-check/) (a previous implementation) after turning on leaked credentials detection and setting up your mitigation strategy as described in the next steps.

src/content/docs/waf/reference/migration-guides/exposed-credentials-check-migration.mdx

@@ -0,0 +1,57 @@
+---
+title: Exposed credentials check migration
+pcx_content_type: reference
+sidebar:
+  order: 4
+---
+
+import { Render } from "~/components";
+
+This guide describes the general steps to migrate your [Exposed Credentials Check](/waf/managed-rules/check-for-exposed-credentials/) configuration to the new [leaked credentials detection](/waf/detections/leaked-credentials/).
+
+Cloudflare recommends that customers still using the Exposed Credentials Check feature migrate to the new leaked credentials detection. This applies both to users that have deployed the [Cloudflare Exposed Credentials Check Ruleset](/waf/managed-rules/reference/exposed-credentials-check/) and users that have [created custom rules checking for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/#exposed-credentials-checks-in-custom-rules).
+
+The leaked credentials detection offers the following advantages over Exposed Credentials Check:
+
+- The detection uses a comprehensive database of leaked credentials, containing over 15 billion passwords.
+- After enabling the feature, you can review the amount of incoming requests with leaked credentials in Security Analytics, even before creating any mitigation rules.
+- You can take action on the requests containing leaked credentials using WAF features like rate limiting rules or custom rules.
+
+## 1. Turn off Exposed Credentials Check
+
+If you had deployed the Cloudflare Exposed Credentials Check managed ruleset:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+2. Go to **Security** > **WAF** > **Managed rules**.
+3. Under **Managed rules**, edit the rule that executes the Cloudflare Exposed Credentials Check Ruleset and take note of the current configuration (namely the performed action). Next, delete (or turn off) that rule.
+
+If you had created [custom rules that checked for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials), you should delete these specific rules after taking note of their configuration for the next steps. Custom rules checking for exposed credentials were only available at the account level and could only be configured via API.
+
+:::note
+While Exposed Credentials Check and leaked credentials detection can work side by side, enabling both features will increase the latency on incoming requests related to authentication.
+:::
+
+## 2. Turn on leaked credentials detection
+
+<Render file="leaked-credentials-detection-enable" />
+
+## 3. Configure the actions to take
+
+Based on your previous configuration, do one of the following:
+
+- If you were using the [default action](/waf/managed-rules/check-for-exposed-credentials/#available-actions) in Exposed Credentials Check: Turn on the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header) that adds the `Exposed-Credential-Check` header to incoming requests containing leaked credentials. Even though the header name is the same as in Exposed Credentials Check, the header values in the new implementation will vary between `1` and `4`.
+
+- If you were using a different action: Create a [custom rule](/waf/custom-rules/) with an action equivalent to the one you were using. The rule should match `User and password leaked is true` (if you are using the expression editor, enter `(cf.waf.credential_check.username_and_password_leaked)`).
+
+If you had configured custom rules at the account level checking for exposed credentials:
+
+1. (Optional) Configure [custom detection locations](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location) for leaked credentials detection. This step may not be necessary if the authentication requests are from well-known web applications or follow common web authentication patterns.
+
+2. Create custom rules that perform an equivalent action to the rules you had previously configured. You can used leaked credentials fields in custom rules at the account or at the zone level.
+
+---
+
+## More resources
+
+- Check for the results of leaked credentials detection in [Security Analytics](/waf/analytics/security-analytics/).
+- Refer to [Mitigation examples](/waf/detections/leaked-credentials/examples/) for example mitigation strategies you can use when detecting leaked credentials.

src/content/docs/waf/reference/migration-guides/index.mdx

@@ -6,12 +6,12 @@ sidebar:
   group:
     hideIndex: true
 head: []
-description: Reference guides for users migrating from deprecated Cloudflare
-  features to the Cloudflare WAF.
+description: Reference guides for users migrating from older Cloudflare
+  features to new implementations in the Cloudflare WAF.
 ---
 
 import { DirectoryListing } from "~/components";
 
-Refer to the following pages for more information on migrating from deprecated features to the Cloudflare WAF:
+Refer to the following pages for more information on migrating from older features to new implementations in the Cloudflare WAF:
 
 <DirectoryListing />

src/content/partials/waf/leaked-credentials-detection-enable.mdx

@@ -0,0 +1,27 @@
+---
+{}
+---
+
+import { TabItem, Tabs } from "~/components";
+
+On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+2. Go to **Security** > **Settings**.
+3. Under **Incoming traffic detections**, turn on **Leaked credentials**.
+
+</TabItem> <TabItem label="API">
+
+Enable the feature using a `POST` request similar to the following:
+
+```bash
+curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{ "enabled": true }'
+```
+
+</TabItem> </Tabs>

src/content/partials/waf/leaked-credentials-recommend-detection.mdx

@@ -3,5 +3,6 @@
 ---
 
 :::note[Recommendation: Use leaked credentials detection instead]
-Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead of Cloudflare Exposed Credentials Check, which refers to a previous implementation.
+Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead of Cloudflare Exposed Credentials Check, which refers to a previous implementation.<br/>
+For more information on migrating your Exposed Credentials Check configuration, refer to the [migration guide](/waf/reference/migration-guides/exposed-credentials-check-migration/).
 :::