Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Defender for APIs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-042

Ensure that Defender for APIs, a feature of Microsoft Defender for Cloud, is enabled for your Azure API Management services. This feature provides comprehensive API protection, proactive threat detection, adaptive security posture, and simplified incident response and remediation.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling Defender for APIs in Azure API Management is essential for protecting APIs and sensitive data. Defender for APIs employs machine learning and AI to identify and mitigate potential threats, safeguarding your APIs from unauthorized access, data breaches, and other security risks. Defender for APIs helps ensure the reliability and integrity of your API infrastructure, providing a robust defense mechanism for your applications and data.


Audit

To determine if Defender for APIs is enabled for Azure API Management service instances, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected subscription.

06 On the Defender plans page, check the Defender for Cloud pricing plan status available for the APIs resource type, listed in the Plan column. If the pricing plan status for APIs is set to Off, Defender for APIs is not enabled for the Azure API Management services created for the selected subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name of the Defender for Cloud pricing plan configured for API Management services:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="Api")'|jq '.properties.pricingTier'

02 The command output should return the name of the configured pricing tier:

"Free"

If the account get-access-token command output does not return "Standard" for the name of the pricing tier, Defender for APIs is not enabled for the Azure API Management services available within the selected subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your cloud account.

Remediation / Resolution

To enable Defender for APIs for your Azure API Management service instances, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected subscription.

06 In the Cloud Workload Protection (CWP) section, choose On for the APIs pricing plan listed in the Plan column, to enable Defender for APIs for all the Azure API Management services available in the selected subscription.

07 Choose Save to apply the changes.

08 To complete onboarding, navigate back to the Microsoft Defender for Cloud blade and select Recommendations from the main navigation panel.

09 Select the All recommendations tab and choose Azure API Management APIs should be onboarded to Defender for APIs.

10 Review the recommendation details and select the API(s) that you want to onboard to Defender for APIs from the Unhealthy resources list.

11 Select Fix, then choose Fix resources.

12 After onboarding your API resources, you can track their status on the API security page. To access this page, navigate back to Microsoft Defender for Cloud, select Workload protections under Cloud Security, and choose API security.

13 Repeat step no. 4 – 12 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the "pricingTier" parameter value is set to "Standard" to enable the Defender for APIs feature for Azure API Management services. Save the configuration document to a JSON file named enable-defender-for-apis.json and replace the highlighted details, i.e. [azure-subscription-id], with your own Azure account subscription ID:

{  
	"id": "/subscriptions/[azure-subscription-id]/providers/Microsoft.Security/pricings/Api",
	"name": "Api",
	"type": "Microsoft.Security/pricings",
	"properties": {
		"pricingTier": "Standard"
	}
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-defender-for-apis.json file), to enable Defender for APIs for Azure API Management services:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/Api?api-version=2018-06-01 -d@"enable-defender-for-apis.json"'

03 The command output should return the information available for the enabled pricing tier:

{
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Security/pricings/Api",
	"name": "Api",
	"type": "Microsoft.Security/pricings",
	"properties": {
		"pricingTier": "Standard",
		"freeTrialRemainingTime": "PT0S"
	}
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Publication date Dec 26, 2023