Skip to content

Onboard Defender for APIs#

Security · API Management · Rule · 2023_12 · Critical

APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.

Description#

Microsoft Defender for APIs provides additional security for APIs published in Azure API Management. Protection is provided by analyzing onboarded APIs.

Which allows Microsoft Defender for Cloud to produce security findings. These security findings includes API recommendations and runtime threats.

The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard. Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.

To use Microsoft Defender for APIs:

  1. Enable the plan at the subscription level.
  2. Onboard each API to Microsoft Defender for APIs.

Recommendation#

Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.

Examples#

Configure with Azure template#

To deploy API Management APIs that pass this rule:

  • Deploy a Microsoft.Security/apiCollections sub-resource (extension resource).
  • Set the name property to the name as the API.

For example:

Azure Template snippet
{
  "type": "Microsoft.Security/apiCollections",
  "apiVersion": "2022-11-20-preview",
  "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('apiManagementServiceName'))]",
  "name": "[parameters('apiName')]"
}

Configure with Bicep#

To deploy API Management APIs that pass this rule:

  • Deploy a Microsoft.Security/apiCollections sub-resource (extension resource).
  • Set the name property to the name as the API.

For example:

Azure Bicep snippet
resource apiManagementService 'Microsoft.ApiManagement/service@2022-08-01' existing = {
  name: apiManagementServiceName
}

resource onboardDefender 'Microsoft.Security/apiCollections@2022-11-20-preview' = {
  name: apiName
  scope: apiManagementService
}

Notes#

Microsoft Defender for APIs has the following limitations:

  • Not all regions are supported.
  • Only REST APIs published through Azure API Management are supported.
  • APIs published through a self-hosted gateway are not supported.
  • APIs defined within an API Management workspace are not supported.

This rule may currently generate false positive results for APIs only hosted on self-hosted gateways or managed using workspaces.

Comments