Edit

Share via

Classify APIs with sensitive data exposure

Once your APIs are onboarded, Defender for APIs starts monitoring your APIs for sensitive data exposure. APIs are classified with both built-in and custom sensitive information types and labels as defined by your organization's Microsoft Purview Information Protection (MIP) governance rules. If you don't have MIP Purview configured, APIs are classified with the Microsoft Defender for Cloud default classification rule set with the following features.

Within Defender for APIs inventory experience, you can search for sensitivity labels or sensitive information types by adding a filter to identify APIs with custom classifications and information types.

Screenshot showing API inventory list.

Explore API exposure through attack paths

When the Defender Cloud Security Posture Management (CSPM) plan is enabled, API attack paths let you discover and remediate the risk of API data exposure. For more information, see Data security posture management in Defender CSPM.

  1. Select the API attack path Internet exposed APIs that are unauthenticated carry sensitive data and review the data path:

    Screenshot showing attack path analysis.

  2. View the attack path details by selecting the attack path published.

  3. Select the Insights resource.

  4. Expand the insight to analyze further details about this attack path:

    Screenshot showing attack path insights.

  5. For risk mitigation steps, open Active Recommendations and resolve unhealthy recommendations for the API endpoint in scope.

Explore API data exposure through Cloud Security Graph

When the Defender Cloud Security Posture Management CSPM plan is enabled, you can view sensitive APIs data exposure and identify the APIs labels according to your sensitivity settings by adding the following filter:

Screenshot of a computer Description automatically generated.

Explore sensitive APIs in security alerts

With Defender for APIs and data sensitivity integration into API security alerts, you can prioritize API security incidents involving sensitive data exposure. For more information, see Defender for APIs alerts.

In the alert's extended properties, you can find sensitivity scanning findings for the sensitivity context:

  • Sensitivity scanning time UTC: when the last scan was performed.
  • Top sensitivity label: the most sensitive label found in the API endpoint.
  • Sensitive information types: information types that were found, and whether they're based on custom rules.
  • Sensitive file types: the file types of the sensitive data.

Screenshot showing alert details.

Next steps

Learn about Defender for APIs.