diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
index c37157e47a36ed..a2342bb32b0d67 100644
--- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
@@ -90,20 +90,18 @@ To check for leaked credentials in a way that is not covered by the default conf
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
 2. Go to **Security** > **Settings**.
-3. Under **Incoming traffic detections**, select **Leaked credentials** and then select the three dots to add a custom detection.
-4. In **Username location**, enter an expression for obtaining the username in the HTTP request. For example:
+3. Under **Incoming traffic detections**, select **Leaked credentials** and then select **Add custom username and password location**.
+4. In **Username location** and **Password location** (optional), enter expressions for obtaining the username and the password from the HTTP request. Refer to the following example expressions:
 
-   ```txt
-   lookup_json_string(http.request.body.raw, "user")
-   ```
+   | Request type     | Username location / Password location                                                                           |
+   | ---------------- | --------------------------------------------------------------------------------------------------------------- |
+   | JSON body        | `lookup_json_string(http.request.body.raw, "user")`<br/>`lookup_json_string(http.request.body.raw, "secret")`   |
+   | URL-encoded form | `url_decode(http.request.body.form["user"][0])`<br/>`url_decode(http.request.body.form["secret"][0])`           |
+   | Multipart form   | `url_decode(http.request.body.multipart["user"][0])`<br/>`url_decode(http.request.body.multipart["secret"][0])` |
 
-5. In **Password location**, enter an expression for obtaining the password in the HTTP request. For example:
+   Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) and [`url_decode()`](/ruleset-engine/rules-language/functions/#url_decode) documentation for more information on these functions.
 
-   ```txt
-   lookup_json_string(http.request.body.raw, "secret")
-   ```
-
-6. Select **Save**.
+5. Select **Save**.
 
 </TabItem> <TabItem label="API">
 
@@ -126,6 +124,8 @@ This pair of lookup expressions (for username and password) will scan incoming H
 {"user": "<username>", "secret": "<password>"}
 ```
 
+Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information on this function.
+
 </TabItem> </Tabs>
 
 You only need to provide an expression for the username in custom detection locations.