diff --git a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
index 2a3f8e881b2c59..ffa7b689bc252d 100644
--- a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
@@ -148,6 +148,8 @@ The custom scan expression will scan any string found in an HTTP body with the f
 { "file": "<BASE64_ENCODED_STRING>" }
 ```
 
+Refer to the [`lookup_json_string()` function reference](/ruleset-engine/rules-language/functions/#lookup_json_string) for more information and additional examples of looking up fields in nested JSON payloads.
+
 :::note
 The content scanner will automatically decode Base64 strings.
 :::