Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

Validating Microsoft Defender for APIs Alerts

Lara_Goldstein's avatar
May 02, 2023

Introduction

Microsoft Defender for APIs, a new plan in Defender for Cloud, offers full lifecycle protection, detection, and response coverage for APIs published in Azure API Management. One of the main capabilities is the ability to detect exploits of the OWASP API Top 10 vulnerabilities through runtime observations of anomalies using machine learning-based and rule-based detections.

 

This blog will outline the steps for simulating an action that will trigger an alert for one of your API endpoints through Defender for APIs. In this scenario, the alert will be for the detection of a suspicious user agent.  

 

Validation Steps

  1. If you don’t have an API Endpoint in Azure API Management Service created yet, make sure to create one following the steps from this article and this article.
  2. If you haven’t enabled Defender for APIs and onboarded API endpoints, refer to this document for guidance before moving to step 3.
  3. Once you have completed steps 1 and 2, access the API Management page through the Azure Portal and navigate to the APIs blade.
  4. Select an API Endpoint (e.g., Echo API).

 

  1. Select an API Operation (e.g., Retrieve Resource) and then open the “Test” tab.

 

  1. Scroll down to the HTTP request section and click on the see more icon to retrieve the full request URL and the APIM subscription key that will be required later. Be sure to copy this information and store it in a secure location. Alternativelyfor testing purposes in a non-production environment, you can disable the subscription requirement following the steps here

 

  1. Navigate to Postman and sign up for a new account or login to your existing account.
  2. In Postman, select “My Workspace” or any other workspace that you already have.

 

  1. Select the "+" icon to start a new request. 

 

  1. Using the HTTP request information that you copied in Step 6, enter the URL (e.g., GET https://apidemo.azure-api.net/echo/resource-cached?param1=sample) into Postman. Do not send the request yet.

 

  1. Select the “Headers” tab.

 

  1. Enter the APIM subscription key as a header. The key is Ocp-Apim-Subscription-Key and the value will be the unique value that you copied in Step 6. 
  2. Enter another header for the user agent value. For this step, enter User-Agent as the key and jvascript: as the value. The user agent javascript; contains distinct patterns typical of script code and is rarely used by legitimate user agents. 
  3. Send the request. You will get a “200 OK” status if the request went through.

 

Conclusion

After some time, Defender for APIs will trigger an alert with detailed information about this suspicious activity, as shown below:

 

 

For a complete list of potential alerts that could be triggered by Defender for APIs, access this reference guide.

 

Written in collaboration with Liana Tomescu and Yuri Diogenes. 

Updated Apr 24, 2023
Version 1.0
  • john66571, after you enable Defender for APIs on a subscription, you must onboard APIs. Onboarding APIs to Defender for APIs may increase compute, memory, and network utilization of your API Management instance, which in extreme cases may cause an outage of the API Management instance. Do not onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs, while monitoring the utilization of your instance (for example, using the capacity metric) and scaling out as needed.

  • john66571's avatar
    john66571
    Brass Contributor

    Will enabling Defender for API(m) generate any loss of service temporarily when enabled? such as disconnecting or service interruptions.
    Defender for Kubernetes does exactly this and caused massive outtage in one environment while we where told no such things should happen (it applies a new profile that makes the pods identify the change and rebuild). So im very reluctant to not enable new features in any environment currently.