“All these Defenders, I can’t keep them straight!” she sobbed.

I haven’t been playing too much in the Azure realm lately, and to pay me back for my neglect, all the versions of Microsoft Defender seem to have metastasized. Defender for APIs, Defender for Containers, Defender for App Service, Defender for Key Vault, and so on. What’s a humanoid to do?

So where do I start my learning adventures today? When in doubt, start with APIs, right? In one of my last articles, I had added a few deliberately vulnerable APIs into Azure API Management. Since then, I have completely deleted everything out of there, since the costs were rising a little bit higher than I liked. So, back to the drawing board. Let’s put those bad boys back in there. Here is my previous article with some details: https://medium.com/@mgbecken/api-management-b8115f455e59

So, once I have an API in Azure API Management again, we can start up Defender for APIs. Here is an Microsoft lab write up to follow along with if you like- https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Labs/Modules/Module-13-Defender%20for%20APIs.md

In Defender for Cloud > Environment settings, select the subscription you want to protect APIs on.

Under Cloud Workload protections, ensure that the APIs plan is toggled On and select your plan.

Now you can go to Defender for Cloud Recommendations. Among your recommendations should be “Azure API Management APIs should be onboarded to Defender for APIs.”

You will be given an option to “Fix Resources”, in other words, onboard these APIs to Defender for APIs.

Once they have been onboarded, you will be able to access the API information through the Defender for Cloud dashboard, under Workload protections > API Security.

You’ll see an inventory of your onboarded APIs with their associated base URL, number of endpoints, and more.

If you click on the collection and then choose an endpoint name, you will be able to view the Resource Health for that endpoint. Recommendations to increase your APIs security posture will be displayed. The OWASP API Top 10 has a ranking of the riskiest API problems at the moment https://owasp.org/API-Security/editions/2023/en/0x11-t10/ and you may see some recommendations from this list. All of my endpoints listed the same two recommendations:
1. API endpoints in Azure API Management should be authenticated

2. API endpoints that are unused should be disabled and removed from the Azure API Management service

Defender for APIs uses machine learning to analyze API traffic and request content. Some potential anomalies we might see are uncommon payload size, spikes in latency, or uncommon parameters. This article demonstrates using an uncommon User-Agent value to trigger an alert https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/validating-microsoft-defender-for-apis-alerts/ba-p/3803874. I wasn’t able to trigger any alerts in my setup, but some alerts you might wish to see are parameter enumerations, types of forced browsing, bot attacks and more.

You can filter the Recommendations in Defender for Cloud to see all API related recommendations, such as “use only encrypted protocols” or “API Endpoints should be authenticated”.

Finally, if you’d like more information related to API security, APIsec University has an assortment of really incredible, free classes — https://www.apisecuniversity.com/. I’ve taken quite a few of their classes and can wholeheartedly recommend them. I felt my dendrites firing up a storm.