The Firewall Activity log contains entries for requests with exposed credentials identified by rules with the Log action.
Check for exposed credentials events in the Firewall Analytics dashboard (Overview tab of the Firewall app), filtering by a specific Rule ID. For more information on filtering Firewall events, refer to Adjusting displayed data.