Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: Developer | Basic | Basic v2 | Standard | Standard v2 | Premium | Premium v2
Defender for APIs, a capability of Microsoft Defender for Cloud, provides full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service enables security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes.
Note
Currently, this feature isn't available in workspaces.
Capabilities of Defender for APIs include:
- Identify external, unused, or unauthenticated APIs
- Classify APIs that receive or respond with sensitive data
- Apply configuration recommendations to strengthen the security posture of APIs and API Management instances
- Detect anomalous and suspicious API traffic patterns and exploits of OWASP API Top 10 vulnerabilities
- Prioritize threat remediation
- Integrate with SIEM systems and Defender Cloud Security Posture Management
This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs.
Plan limitations
- Currently, Defender for APIs discovers and analyzes REST APIs only.
- Defender for APIs currently doesn't onboard APIs that are exposed via the API Management self-hosted gateway or managed via API Management workspaces.
- Some machine-learning-based detections and security insights (data classification, authentication check, unused and external APIs) aren't supported in secondary regions in multi-region deployments. Defender for APIs relies on local data pipelines to ensure regional data residency and improved performance in such deployments.
Prerequisites
- At least one API Management instance in an Azure subscription. Defender for APIs is enabled at the level of an Azure subscription.
- One or more supported APIs imported to the API Management instance.
- Role assignment to enable the Defender for APIs plan.
- Contributor or Owner role assignment on relevant Azure subscriptions, resource groups, or API Management instances that you want to secure.
Onboard to Defender for APIs
Onboarding APIs to Defender for APIs is a two-step process: enabling the Defender for APIs plan for the subscription, and onboarding unprotected APIs in your API Management instances.
Tip
You can also onboard to Defender for APIs directly in the Defender for Cloud interface, where more API security insights and inventory experiences are available.
Enable the Defender for APIs plan for a subscription
- Sign in to the portal, and go to your API Management instance. 
- In the left pane, under Security, select Defender for Cloud. 
- Select Enable Defender on the subscription (recommended). 
- On the Defender plan page, select On for the APIs plan. 
- Choose a plan, select Save, and then select Save again at the top of the page. 
Onboard unprotected APIs to Defender for APIs
Caution
Onboarding APIs to Defender for APIs can increase compute, memory, and network utilization of your API Management instance, which in extreme cases can cause an outage of the API Management instance. Don't onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs while monitoring the utilization of your instance (for example, by using the capacity metric) and scaling out as needed.
- In the portal, go back to your API Management instance. 
- In the left pane, under Security, select Defender for Cloud. 
- Under Recommendations, select Azure API Management APIs should be onboarded to Defender for APIs. 
- On the Azure API Management APIs should be onboarded to Defender for APIs page, in the View recommendations column, select the View button for one of the listed APIs. 
- On the resulting page, review the details of the recommendation: - Severity
- Freshness interval for security findings
- Description and remediation steps
- Affected resources, classified as Healthy (onboarded to Defender for APIs), Unhealthy (not onboarded), or Not applicable, along with associated metadata from API Management
 - Note - Affected resources include API collections (APIs) from all API Management instances under the subscription. 
- Select the APIs that you want to onboard to Defender for APIs. 
- Select Fix, and then select Fix x resources. 
- Track the status of onboarded resources in the Notifications pane. 
Note
Defender for APIs takes 30 minutes to generate its first security insights after you onboard an API. Thereafter, security insights are refreshed every 30 minutes.
View security coverage
After you onboard the APIs from API Management, Defender for APIs receives API traffic that's used to build security insights and monitor for threats. Defender for APIs generates security recommendations for risky and vulnerable APIs.
You can view a summary of all security recommendations and alerts for onboarded APIs by selecting Defender for Cloud in the navigation menu for your API Management instance:
- In the portal, go to your API Management instance. 
- Under Security, select Defender for Cloud in the left pane. 
- Review Recommendations and Security incidents and alerts. 
For the security alerts that you receive, Defender for APIs suggests necessary steps to perform the required analysis and validate the potential exploit or anomaly associated with the APIs. Follow the steps in the security alert to fix and return the APIs to healthy status.
Offboard protected APIs from Defender for APIs
You can remove APIs from protection by Defender for APIs by using Defender for Cloud in the portal. For more information, see Manage your Defender for APIs deployment.
 
 
 
