Edit

Share via

Enable API security posture with Defender CSPM

The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud gives you a complete view of your APIs across Azure API Management, Function Apps, and Logic Apps. It helps you improve API security by finding misconfigurations and vulnerabilities. This article explains how to enable API security posture management in your Defender CSPM plan and assess your API security. Defender CSPM onboards APIs without an agent and regularly checks for risks and sensitive data exposure. It provides prioritized risk insights and mitigation through API attack path analysis and security recommendations.

Note

API discovery and security posture capabilities in Microsoft Defender for Cloud now also support Function Apps and Logic Apps. This feature is currently available in Preview.

Prerequisites

Cloud and region support

API Security Posture Management within Defender CSPM is available in the Azure commercial cloud, in the following regions:

  • Asia (Southeast Asia, EastAsia)
  • Australia (Australia East, Australia Southeast, Australia Central, Australia Central 2)
  • Brazil (Brazil South, Brazil Southeast)
  • Canada (Canada Central, Canada East)
  • Europe (West Europe, North Europe)
  • India (Central India, South India, West India)
  • Japan (Japan East, Japan West)
  • UK (UK South, UK West)
  • US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, East US 2 EUAP, Central US EUAP)

Review the latest cloud support information for Defender for Cloud plans and features in the cloud support matrix.

API support

Feature Supported
Availability Azure API Management: This feature is available in the Premium, Standard, Basic, and Developer tiers of Azure API Management. It doesn't support APIs that are exposed through the API Management self-hosted gateway or managed through API Management workspaces.

Azure App Services: Supported Azure Function App hosting tiers include Premium, Elastic Premium, Dedicated (App Service), and App Service Environment (ASE). For Azure Logic Apps, supported tiers include Standard (Single-Tenant) and App Service Environment (ASE). Consumption tier Function Apps, Consumption tier Logic Apps, and Azure Arc-enabled Logic Apps aren't supported.
API types Support only for REST APIs.

Enable API security posture management extension

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select the relevant subscription.

  4. Locate the Defender CSPM plan and select Settings.

  5. Enable API security posture management.

    Screenshot of Enable API security posture management.

  6. Select Continue.

  7. Select Save.

A notification message confirming that the settings were saved successfully appears. Once enabled, APIs start onboarding and appear in your Defender for Cloud Inventory within a few hours.

View API inventory

APIs onboarded to the Defender CSPM plan appear in the API security dashboard under Workload protection and Microsoft Defender for Cloud Inventory.

  1. Navigate to the Cloud Security section of the Defender for Cloud menu and select API security under Advanced Workload protections.

    Screenshot of the API security dashboard.

  2. The dashboard shows the number of onboarded APIs, broken down by API collections, endpoints, and Azure API Management services. It includes a summary of APIs onboarded for threat detection security coverage by using the Defender for APIs workload protections plan.

  3. Apply the filter Defender plan == Defender CSPM to view the APIs onboarded to the Defender CSPM plan.

Screenshot of filtered APIs for Defender CSPM plan for posture.

  1. Select OK.

  2. Select an API operation of interest to review the security findings for specific API operations.

    Screenshot of API collection details page.

API endpoint detailed findings

  1. Sensitive Information Type: Provides details on the sensitive information exposed in API URL paths, query parameters, request bodies, and response bodies based on supported data types, along with the source of the information type found.

  2. Additional Information: In the case of API response bodies, this field shows which HTTP response codes contained sensitive information (such as 2xx, 3xx, 4xx).

Review API security posture findings along with your API inventory in the Microsoft Defender for Cloud Inventory experience.

Note

Sensitive data exposure isn't scanned if the sensitive data discovery extension isn't enabled. To scan for sensitive information in your APIs, you must enable sensitive data discovery. This setting only affects APIs onboarded to the Defender CSPM plan. If you enable the Defender for APIs workload protection plan on the same APIs, they are scanned for sensitive data.

Investigate API security recommendations

Defender for Cloud continuously assesses API endpoints for misconfigurations and vulnerabilities, including authentication flaws and inactive APIs. It generates security recommendations with associated risk factors like external exposure and data sensitivity risks. Defender for Cloud calculates the importance of the security recommendations based on these risk factors. Learn more about risk-based security recommendations.

To investigate your API security posture recommendations:

  1. Go to the Defender for Cloud main menu and select Recommendations.

  2. Select the Group by Title toggle to organize recommendations.

  3. Filter by Resource Type (for example, API Management Operation or API Endpoint), or filter by Recommendation Name to narrow down API-related recommendations to target specific API security problems.

Check out the APIs section in the Defender for Cloud recommendation reference guide, for the full list of API-related recommendations.

Explore API risks and remediate with attack path analysis

The cloud security explorer helps you identify potential security risks in your cloud environment by querying the cloud security graph.

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Cloud Security Explorer.

  3. Use the built-in query template to quickly identify APIs with security insights.

    Screenshot of Cloud Security Explorer with API security insights query template.

  4. Alternatively, build a custom query with Cloud Security Explorer to find API risks and see API endpoints connected to backend compute or data stores. For example, you can see API endpoints routing traffic to virtual machines with remote code vulnerabilities.

    Screenshot of custom query in Cloud Security Explorer.

Attack path analysis in Defender for Cloud addresses security problems that pose immediate threats to your cloud applications and environments. Identify and remediate API-led attack paths to address your most critical API risks that can significantly threaten your organization.

  1. In the Defender for Cloud menu, go to Attack path analysis.

  2. Filter by resource type API Management operation to investigate API-related attack paths.

    Screenshot of Attack path analysis filtered by API Management operation.

  3. View the security recommendations for your API endpoints in scope and remediate the recommendations to protect your APIs from high-risk attack surfaces.

    Screenshot of API security recommendations in Attack path analysis.

Offboard API security posture protection

You can't offboard individual APIs that are part of the Defender CSPM plan. To offboard all APIs from the Defender CSPM plan, go to the Defender CSPM Plan Settings page and disable the API posture extension.

Screenshot of Disable API security posture management.

Select Continue and then Save to confirm. This action offboards all APIs from the Defender CSPM plan, and API security posture management is disabled.

Related content

  • Last updated on