cloudflare · pedrosousa · Oct 9, 2024 · Oct 8, 2024 · Oct 8, 2024 · Oct 8, 2024
@@ -5,7 +5,7 @@ sidebar:
   order: 4
 ---
 
-import { Render } from "~/components";
+import { Render, RuleID } from "~/components";
 
 The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials.
 
@@ -39,14 +39,122 @@ You can configure the following settings of the Cloudflare Exposed Credentials C
 - **Set the action to perform.** When you define an action for the ruleset, you override the default action defined for each rule. The available actions are: _Managed Challenge_, _Block_, _JS Challenge_, _Log_, and _Interactive Challenge_. To remove the action override, set the ruleset action to _Default_.
 - **Override the action performed by individual rules.** The available actions are: _Exposed-Credential-Check Header_, _Managed Challenge_, _Block_, _JS Challenge_, _Log_, and _Interactive Challenge_. For more information, refer to [Available actions](/waf/managed-rules/check-for-exposed-credentials/#available-actions).
 - **Disable specific rules.**
-- **Customize the filter expression.** With a custom expression, the Cloudflare Managed Ruleset applies only to a subset of the incoming requests.
+- **Customize the filter expression.** With a custom expression, the Cloudflare Exposed Credentials Check Managed Ruleset applies only to a subset of the incoming requests.
 - **Configure [payload logging](/waf/managed-rules/payload-logging/configure/)**.
 
 For details on configuring a managed ruleset in the dashboard, refer to [Configure a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-managed-ruleset).
 
 ## Configure via API
 
-To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with `execute` action in the entry point ruleset for the `http_request_firewall_managed` phase. For more information on deploying a managed ruleset, refer to [Deploy a managed ruleset](/ruleset-engine/managed-rulesets/deploy-managed-ruleset/).
+To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with `execute` action in the [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_request_firewall_managed` phase.
+
+### Example
+
+This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to the `http_request_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.
+
+1.  Invoke the [Get a zone entry point ruleset](/api/operations/getZoneEntrypointRuleset) operation to obtain the definition of the entry point ruleset for the `http_request_firewall_managed` phase. You will need the [zone ID](/fundamentals/setup/find-account-and-zone-ids/) for this task.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint" \
+    --header "Authorization: Bearer <API_TOKEN>"
+    ```
+
+    ```json output {4}
+    {
+    	"result": {
+    		"description": "Zone-level phase entry point",
+    		"id": "<RULESET_ID>",
+    		"kind": "zone",
+    		"last_updated": "2024-03-16T15:40:08.202335Z",
+    		"name": "zone",
+    		"phase": "http_request_firewall_managed",
+    		"rules": [
+    			// ...
+    		],
+    		"source": "firewall_managed",
+    		"version": "10"
+    	},
+    	"success": true,
+    	"errors": [],
+    	"messages": []
+    }
+    ```
+
+2.  If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the Cloudflare Exposed Credentials Check Managed Ruleset (with ID <RuleID id="c2e184081120413c86c3ab7e14069605" />). By default, the rule will be added at the end of the list of rules already in the ruleset.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \
+    --header "Authorization: Bearer <API_TOKEN>" \
+    --header "Content-Type: application/json" \
+    --data '{
+    	"action": "execute",
+    	"action_parameters": {
+    		"id": "c2e184081120413c86c3ab7e14069605"
+    	},
+    	"expression": "true",
+    	"description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset"
+    }'
+    ```
+
+    ```json output
+    {
+    	"result": {
+    		"id": "<RULESET_ID>",
+    		"name": "Zone-level phase entry point",
+    		"description": "",
+    		"kind": "zone",
+    		"version": "11",
+    		"rules": [
+    			// ... any existing rules
+    			{
+    				"id": "<RULE_ID>",
+    				"version": "1",
+    				"action": "execute",
+    				"action_parameters": {
+    					"id": "c2e184081120413c86c3ab7e14069605",
+    					"version": "latest"
+    				},
+    				"expression": "true",
+    				"description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset",
+    				"last_updated": "2024-03-18T18:08:14.003361Z",
+    				"ref": "<RULE_REF>",
+    				"enabled": true
+    			}
+    		],
+    		"last_updated": "2024-03-18T18:08:14.003361Z",
+    		"phase": "http_request_firewall_managed"
+    	},
+    	"success": true,
+    	"errors": [],
+    	"messages": []
+    }
+    ```
+
+3.  If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the Cloudflare Exposed Credentials Check Managed Ruleset (with ID <RuleID id="c2e184081120413c86c3ab7e14069605" />) for all incoming requests in the zone.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
+    --header "Authorization: Bearer <API_TOKEN>" \
+    --header "Content-Type: application/json" \
+    --data '{
+      "name": "My ruleset",
+      "description": "Entry point ruleset for WAF managed rulesets",
+      "kind": "zone",
+      "phase": "http_request_firewall_managed",
+      "rules": [
+        {
+    			"action": "execute",
+    			"action_parameters": {
+    				"id": "c2e184081120413c86c3ab7e14069605"
+    			},
+    			"expression": "true",
+    			"description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset"
+    		}
+      ]
+    }'
+    ```
+
+### Next steps
 
 To configure the Exposed Credentials Check Managed Ruleset via API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations:
 
@@ -62,3 +170,7 @@ Besides activating the Exposed Credentials Check Managed Ruleset, you can also c
 For more information, refer to [Create a custom rule checking for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials).
 
 :::
+
+### More resources
+
+For more information on working with managed rulesets via API, refer to [Work with managed rulesets](/ruleset-engine/managed-rulesets/) in the Ruleset Engine documentation.
@@ -42,9 +42,115 @@ For details on configuring a managed ruleset in the dashboard, refer to [Configu
 
 ## Configure via API
 
-To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the entry point ruleset for the `http_response_firewall_managed` phase. For more information on deploying a managed ruleset, refer to [Deploy a managed ruleset](/ruleset-engine/managed-rulesets/deploy-managed-ruleset/).
-
-The ruleset ID is the following: <RuleID id="e22d83c647c64a3eae91b71b499d988e" />.
+To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_response_firewall_managed` phase.
+
+### Example
+
+This example deploys the Cloudflare Sensitive Data Detection managed ruleset to the `http_response_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.
+
+1.  Invoke the [Get a zone entry point ruleset](/api/operations/getZoneEntrypointRuleset) operation to obtain the definition of the entry point ruleset for the `http_response_firewall_managed` phase. You will need the [zone ID](/fundamentals/setup/find-account-and-zone-ids/) for this task.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_response_firewall_managed/entrypoint" \
+    --header "Authorization: Bearer <API_TOKEN>"
+    ```
+
+    ```json output {4}
+    {
+    	"result": {
+    		"description": "Zone-level phase entry point (response)",
+    		"id": "<RULESET_ID>",
+    		"kind": "zone",
+    		"last_updated": "2024-03-16T15:40:08.202335Z",
+    		"name": "zone",
+    		"phase": "http_response_firewall_managed",
+    		"rules": [
+    			// ...
+    		],
+    		"source": "firewall_managed",
+    		"version": "10"
+    	},
+    	"success": true,
+    	"errors": [],
+    	"messages": []
+    }
+    ```
+
+2.  If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the Cloudflare Sensitive Data Detection managed ruleset (with ID <RuleID id="e22d83c647c64a3eae91b71b499d988e" />). By default, the rule will be added at the end of the list of rules already in the ruleset.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \
+    --header "Authorization: Bearer <API_TOKEN>" \
+    --header "Content-Type: application/json" \
+    --data '{
+    	"action": "execute",
+    	"action_parameters": {
+    		"id": "e22d83c647c64a3eae91b71b499d988e"
+    	},
+    	"expression": "true",
+    	"description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
+    }'
+    ```
+
+    ```json output
+    {
+    	"result": {
+    		"id": "<RULESET_ID>",
+    		"name": "Zone-level phase entry point (response)",
+    		"description": "",
+    		"kind": "zone",
+    		"version": "11",
+    		"rules": [
+    			// ... any existing rules
+    			{
+    				"id": "<RULE_ID>",
+    				"version": "1",
+    				"action": "execute",
+    				"action_parameters": {
+    					"id": "e22d83c647c64a3eae91b71b499d988e",
+    					"version": "latest"
+    				},
+    				"expression": "true",
+    				"description": "Execute the Cloudflare Sensitive Data Detection managed ruleset",
+    				"last_updated": "2024-03-18T18:08:14.003361Z",
+    				"ref": "<RULE_REF>",
+    				"enabled": true
+    			}
+    		],
+    		"last_updated": "2024-03-18T18:08:14.003361Z",
+    		"phase": "http_response_firewall_managed"
+    	},
+    	"success": true,
+    	"errors": [],
+    	"messages": []
+    }
+    ```
+
+3.  If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the Cloudflare Sensitive Data Detection managed ruleset (with ID <RuleID id="e22d83c647c64a3eae91b71b499d988e" />) for all incoming requests in the zone.
+
+    ```bash
+    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
+    --header "Authorization: Bearer <API_TOKEN>" \
+    --header "Content-Type: application/json" \
+    --data '{
+      "name": "My ruleset",
+      "description": "Entry point ruleset for WAF managed rulesets (response)",
+      "kind": "zone",
+      "phase": "http_response_firewall_managed",
+      "rules": [
+        {
+    			"action": "execute",
+    			"action_parameters": {
+    				"id": "e22d83c647c64a3eae91b71b499d988e"
+    			},
+    			"expression": "true",
+    			"description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
+    		}
+      ]
+    }'
+    ```
+
+### Next steps
 
 To configure Cloudflare Sensitive Data Detection using the API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations:
 
@@ -53,6 +159,10 @@ To configure Cloudflare Sensitive Data Detection using the API, create [override
 
 For examples of creating overrides using the API, refer to [Override a managed ruleset](/ruleset-engine/managed-rulesets/override-managed-ruleset/).
 
+### More resources
+
+For more information on working with managed rulesets via API, refer to [Work with managed rulesets](/ruleset-engine/managed-rulesets/) in the Ruleset Engine documentation.
+
 ## Review detected leaks
 
 To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following: