Edit

Share via


Enable API security posture with Defender CSPM

The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud gives you a complete view of your APIs across Azure API Management, Function Apps, and Logic Apps. It helps you improve API security by finding misconfigurations and vulnerabilities. This article explains how to enable API security posture management in your Defender CSPM plan and assess your API security. Defender CSPM onboards APIs without an agent and regularly checks for risks and sensitive data exposure. It provides prioritized risk insights and mitigation through API attack path analysis and security recommendations.

Note

API discovery and security posture capabilities in Microsoft Defender for Cloud now also support Function Apps and Logic Apps. This feature is currently available in Preview.

Prerequisites

Cloud and region support

API Security Posture Management within Defender CSPM is available in the Azure commercial cloud, in the following regions:

  • Asia (Southeast Asia, EastAsia)
  • Australia (Australia East, Australia Southeast, Australia Central, Australia Central 2)
  • Brazil (Brazil South, Brazil Southeast)
  • Canada (Canada Central, Canada East)
  • Europe (West Europe, North Europe)
  • India (Central India, South India, West India)
  • Japan (Japan East, Japan West)
  • UK (UK South, UK West)
  • US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, East US 2 EUAP, Central US EUAP)

Review the latest cloud support information for Defender for Cloud plans and features in the cloud support matrix.

API support

Feature Supported
Availability Azure API Management: This feature is available in the Premium, Standard, Basic, and Developer tiers of Azure API Management. Does not support APIs that are exposed using the API Management self-hosted gateway, or managed using API Management workspaces.

Azure App Services: Supported Azure Function App hosting tiers include Premium, Elastic Premium, Dedicated (App Service), and App Service Environment (ASE). For Azure Logic Apps, supported tiers include Standard (Single-Tenant) and App Service Environment (ASE). Consumption tier Function Apps, Consumption tier Logic Apps, and Azure Arc-enabled Logic Apps are not supported.
API types Support only for REST APIs.

Enable API security posture management extension

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. Navigate to Environment settings.

  4. Select the relevant subscription in scope.

  5. Go to the Defender CSPM plan and select Settings.

  6. Enable API security posture management.

    Screenshot of Enable API security posture management.

  7. Select Save.

You'll see a notification message confirming that the settings were saved successfully. Once enabled, APIs start onboarding and appear in your Defender for Cloud Inventory within a few hours.

View API inventory

APIs onboarded to the Defender CSPM plan appear in the API security dashboard under Workload protection and Microsoft Defender for Cloud Inventory.

  1. Navigate to the Cloud Security section of the Defender for Cloud menu and select API security under Advanced Workload protections.

    Screenshot of the API security dashboard.

  2. The dashboard shows the number of onboarded APIs, broken down by API collections, endpoints, and Azure API Management services. It includes a summary of APIs onboarded for threat detection security coverage with Defender for APIs workload protections plan.

  3. To see APIs onboarded to the Defender CSPM plan for posture protection, apply the filter Defender plan == Defender CSPM.

    Screenshot of filtered APIs for Defender CSPM plan for posture.

  4. Drill down into the API collection details page to review security findings for specific API operations. These are visible in the side context pane when you select an API operation of interest.

    Screenshot of API collection details page.

API endpoint detailed findings

  1. Sensitive Information Type: Provides details on the sensitive information exposed in API URL paths, query parameters, request bodies, and response bodies based on supported data types, along with the source of the information type found.

  2. Additional Information: In the case of API response bodies, this shows which HTTP response codes contained sensitive information (such as 2xx, 3xx, 4xx).

Review API security posture findings along with your API inventory in the Microsoft Defender for Cloud Inventory experience.

Note

Sensitive data exposure won't be scanned if the sensitive data discovery extension is turned off. Enable sensitive data discovery to scan for sensitive information in your APIs. This setting only affects APIs onboarded to the Defender CSPM plan. If you have the Defender for APIs workload protection plan enabled on the same APIs, they will still be scanned for sensitive data.

Investigate API security recommendations

API endpoints are continuously assessed for misconfigurations and vulnerabilities, including authentication flaws and inactive APIs. Security recommendations are generated with associated risk factors like external exposure and data sensitivity risks. The importance of the security recommendations is calculated based on these risk factors. Learn more about risk-based security recommendations.

To investigate your API security posture recommendations:

  1. Navigate to the Defender for Cloud main menu and select Recommendations.
  2. Use the Group by Title toggle to organize recommendations.
  3. Apply filters to narrow down API-related recommendations. Filter by Resource Type (e.g., API Management Operation or API Endpoint), or filter by Recommendation Name to target specific API security issues.

To explore the full list of API-related recommendations, see the APIs section in the Defender for Cloud recommendation reference guide.

Explore API risks and remediate with attack path analysis

The cloud security explorer helps you identify potential security risks in your cloud environment by querying the cloud security graph.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.

  3. Use the built-in query template to quickly identify APIs with security insights.

    Screenshot of Cloud Security Explorer with API security insights query template.

  4. Alternatively, build a custom query with Cloud Security Explorer to find API risks and see API endpoints connected to backend compute or data stores. For example, you can see API endpoints routing traffic to virtual machines with remote code vulnerabilities.

    Screenshot of custom query in Cloud Security Explorer.

Attack path analysis in Defender for Cloud addresses security issues that pose immediate threats to your cloud applications and environments. Identify and remediate API-led attack paths to address your most critical API risks that can significantly threaten your organization.

  1. In the Defender for Cloud menu, go to Attack path analysis.

  2. Filter by resource type API Management operation to investigate API-related attack paths.

    Screenshot of Attack path analysis filtered by API Management operation.

  3. View the security recommendations for your API endpoints in scope and remediate the recommendations to protect your APIs from high-risk attack surfaces.

    Screenshot of API security recommendations in Attack path analysis.

Offboard API security posture protection

APIs that are part of the Defender CSPM plan can't be offboarded individually. If you want to offboard all APIs from the Defender CSPM plan, go to the Defender CSPM Plan Settings page and disable the API posture extension.

Screenshot of Disable API security posture management.