Enable API security posture with Defender CSPM

The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud gives you a complete view of your APIs in Azure API Management. It helps you improve API security by finding misconfigurations and vulnerabilities. This article explains how to enable API security posture management in your Defender CSPM plan and assess your APIs' security. Defender CSPM onboards APIs without an agent and regularly checks for risks and sensitive data exposure. It provides prioritized risk insights and mitigation through API attack path analysis and security recommendations.

Prerequisites

• Read about Improve your API security posture (Preview).
• You need a Microsoft Azure subscription. If you don't have one, you can sign up for a free subscription.
• Enable Defender for Cloud on your Azure subscription.
• Enable Defender Cloud Security Posture Management (CSPM) on your Azure subscription.
• The Subscription Owner must enable the CSPM plan to access all features.
• Ensure the APIs you want to protect are published in Azure API Management. Follow the instructions to set up Azure API Management.

Enable API security posture management extension

1. Sign in to the Azure portal.

2. Search for and select Microsoft Defender for Cloud.

3. Navigate to Environment settings.

4. Select the relevant subscription in scope.

5. Go to the Defender CSPM plan and select Settings.

6. Enable API security posture management (Preview).

   

7. Select Save.

You'll see a notification message confirming that the settings were saved successfully. Once enabled, APIs start onboarding and appear in your Defender for Cloud Inventory within a few hours.

View API inventory

APIs onboarded to the Defender CSPM plan appear in the API security dashboard under Workload protection and Microsoft Defender for Cloud Inventory.

1. Navigate to the Cloud Security section of the Defender for Cloud menu and select API security under Advanced Workload protections.

   

2. The dashboard shows the number of onboarded APIs, broken down by API collections, endpoints, and Azure API Management services. It includes a summary of APIs onboarded for threat detection security coverage with Defender for APIs workload protections plan.

3. To see APIs onboarded to the Defender CSPM plan for posture protection, apply the filter Defender plan == Defender CSPM.

   

4. Drill down into the API collection details page to review security findings for specific API operations. These are visible in the side context pane when you select an API operation of interest.

   

API endpoint detailed findings

1. Sensitive Information Type: Provides details on the sensitive information exposed in API URL paths, query parameters, request bodies, and response bodies based on supported data types, along with the source of the information type found.
2. Additional Information: In the case of API response bodies, this shows which HTTP response codes contained sensitive information (such as 2xx, 3xx, 4xx).

Review API security posture findings along with your API inventory in the Microsoft Defender for Cloud Inventory experience.

Note

For API resources to appear in the inventory experience, Microsoft Defender for Cloud requires the Azure Policy for API Management to be active and assigned.

1. Navigate to the Microsoft Defender for Cloud menu and select Inventory.

2. Within the Inventory page, apply filters by selecting resource types and select API Management API, API Management operation, and API Management service to see all your API assets.

   

Investigating API security recommendations

API endpoints are continuously assessed for misconfigurations and vulnerabilities, including authentication flaws and inactive APIs. Security recommendations are generated with associated risk factors like external exposure and data sensitivity risks. The importance of the security recommendations is calculated based on these risk factors. Learn more about risk-based security recommendations.

To investigate your API security posture recommendations:

1. Navigate to the Defender for Cloud main menu and select Recommendations.

2. Toggle on Group by Title and apply the Resource Type filter, selecting API Management Operation.

3. Review the security recommendations, affected resources, risk factors, and risk levels. Take actions to remediate API posture risks.

   

Explore API risks and remediate with attack path analysis

The cloud security explorer helps you identify potential security risks in your cloud environment by querying the cloud security graph.

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.

3. Use the built-in query template to quickly identify APIs with security insights.

   

4. Alternatively, build a custom query with Cloud Security Explorer to find API risks and see API endpoints connected to backend compute or data stores. For example, you can see API endpoints routing traffic to virtual machines with remote code vulnerabilities.

   

Attack path analysis in Defender for Cloud addresses security issues that pose immediate threats to your cloud applications and environments. Identify and remediate API-led attack paths to address your most critical API risks that can significantly threaten your organization.

1. In the Defender for Cloud menu, go to Attack path analysis.

2. Filter by resource type API Management operation to investigate API-related attack paths.

   

3. View the security recommendations for your API endpoints in scope and remediate the recommendations to protect your APIs from high-risk attack surfaces.

   

Offboarding API security posture protection

APIs that are part of the Defender CSPM plan can't be offboarded individually. If you want to offboard all APIs from the Defender CSPM plan, go to the Defender CSPM Plan Settings page and disable the API posture extension.

Related content

• Monitor for API threats using Defender for APIs Workload Protection.