Protect your APIs with Defender for APIs

Defender for APIs in Microsoft Defender for Cloud offers full lifecycle protection, detection, and response coverage for APIs.

Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.

Learn more about the Microsoft Defender for APIs plan in the Microsoft Defender for Cloud.

Prerequisites

• You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free subscription.

• You must enable Microsoft Defender for Cloud on your Azure subscription.

• Review Defender for APIs support, permissions, and requirements before you begin deployment.

• You enable Defender for APIs at the subscription level.

• Ensure that APIs you want to secure are published in Azure API management. Follow these instructions to set up Azure API Management.

Note

This article describes how to enable and onboard the Defender for APIs plan in the Defender for Cloud portal. Alternately, you can enable Defender for APIs within an API Management instance in the Azure portal.

Enable the Defender for APIs plan

1. Sign into the portal, and in Defender for Cloud, select Environment settings.

2. Select the subscription that contains the managed APIs that you want to protect.

3. In the APIs plan, select On. Then select Save:

   

4. Select Save.

Note

After enabling Defender for APIs, onboarded APIs take up to 50 minutes to appear in the Recommendations tab. Security insights are available in the Workload protections > API security dashboard within 40 minutes of onboarding.

Onboard APIs

1. In the Defender for Cloud portal, select Recommendations.

2. Search for Defender for APIs.

3. Under Enable enhanced security features, select the security recommendation Azure API Management APIs should be onboarded to Defender for APIs:

   

4. In the recommendation page, you can review the recommendation severity, update interval, description, and remediation steps.

5. Review the resources in scope for the recommendations:

   • Unhealthy resources: Resources that aren't onboarded to Defender for APIs.
   • Healthy resources: API resources that are onboarded to Defender for APIs.
   • Not applicable resources: API resources that aren't applicable for protection.

6. In Unhealthy resources, select the APIs that you want to protect with Defender for APIs.

7. Select Fix:

   

8. In Fixing resources, review the selected APIs, and select Fix resources:

   

9. Verify that remediation was successful:

   

Track onboarded API resources

After onboarding the API resources, you can track their status in the Defender for Cloud portal > Workload protections > API security:

You can also navigate to other collections to learn about what types of insights or risks might exist in the inventory:

Next steps

Review API threats and security posture.