Microsoft Defender for API Security Dashboard
Microsoft Defender for APIs is a plan provided by Microsoft Defender for Cloud that offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs is currently in public preview and currently provides security for APIs published in Azure API Management. Microsoft Defender for API plan provides us with amazing capabilities like, giving security admins the visibility to their business-critical managed APIs, provides you with security findings to investigate and improve your API security posture, also provides you with sensitive-data classification (API data classification) where the plan classifies APIs that are exposing, receiving or responding with sensitive data, also comes with real-time threat detection that generates alerts for suspicious activities. Defender for API plan continuously assesses the configurations of your managed APIs and compares them with the best practices and finds misconfigurations which generates security recommendations that will be published on Defender for Cloud's Recommendations page. As you can imagine, that’s a lot of information to keep track. So we wanted to provide you with a single-pane of glass view to help view all the findings associated with the Defender for APIs plan. With this blog, we are introducing you to Microsoft Defender for API Security Dashboard, that provides representation of the security posture of your API’s in different pivots that help you understand the overall security findings, threats in your environment and how to prioritize them. What’s in the Dashboard Defender for API Security dashboard is a workbook that provides a unified view and deep visibility into the issues. This workbook allows you to visualize the state of your API posture for the API endpoints that you have onboarded to Defender for APIs to better understand your unhealthy recommendations and the identified data classifications, authorization status, usage, and exposure of your APIs. You can also investigate detected threats on affected API resources, including the most affected API collections and endpoints, the top alert types, and progression of alerts over time. Pie-Charts & Details Example Overview: The overview section contains six pie-charts that represents the total number of alerts and how they map to the MITRE ATT&CK Tactics, security recommendations, coverage for API endpoints, and coverage for different subscriptions that you have access to. Hardening Recommendations: To drill into security recommendations, select the Hardening Recommendations tab. On this tab, you can investigate your unhealthy recommendations by severity level, see all affected resources, and get security insights such as unauthorized API endpoints that are externally facing and transfer sensitive data. Threat Detection – Alerts The Alerts tab displays your top 10 alerts type, a list of your affected resources, active alerts on selected resources, alerts over time, and a map of your affected APIs. Note You must enable Defender for APIs and onboard API endpoints in order to utilize this workbook How to Deploy Great News...!! This workbook is built into Microsoft Defender for Cloud portal. In the Azure portal > Navigate to Microsoft Defender for Cloud > Workbooks Additional Resources To learn more about Microsoft Defender for API offering, make sure to check out our documentation We are eager to hear your feedback on your experience with Defender for API capabilities. Please take sometime to fill in the survey Learn about API Security Alerts Learn about API Security Recommendations
Microsoft Defender for Cloud Onboarding workbook V2
The Defender for Cloud Onboarding Workbook V2 is the latest version of this workbook that was originally published August 2022. You can read more about the purpose of this workbook in this post. What’s New: The Defender Plans Onboarded Tab - displays the subscriptions that are onboarded to a Defender plan, status of the Defender Plan, and the resources deployed in the subscription. You can click on the status of the Defender Plan to On / Off on the subscription. You will be directed to the Defender Plans Blade on your selected Subscription. You can notice the status of each Defender Plan is On/Off, and the Resource quantity column displays the Resources deployed in the subscription. You can edit the status of the selected Defender Plan from here and click on save. Please be noted that Foundational CSPM is by default “On” on all subscriptions. The CSPM Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender CSPM Plan on the subscription, and the resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The Agentless Capabilities covered under Defender CSPM displays the Status is On/Off. “Not Available” indicates the required Defender Plan is not enabled, and hence the capability is not available. You can click on the On/Off status on the subscription to edit the Agentless capability. Edit the Status On/Off, and click “Continue” and “Save” the settings The API Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender for APIs Plan on the subscription, and the APIM resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The APIM resources overview displays the APIM resources deployed in the subscription, and their Public Network Access is Enabled/Disabled, and if the APIM is deployed into a VNET. The Onboard API collections displays if all the API collections in an APIM are onboarded to Defender for APIs. Click on “Not Onboarded” to onboard the API collection. You are directed to the assessment “Azure API Management APIs should be onboarded to Defender for APIs”. Select the API Endpoints under the Unhealthy resources and click on “Fix” The Storage Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender for Storage Plan on the subscription, and the Storage Account resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The Agentless capabilities like Data Sensitivity Discovery, Malware Scanning are only available with the DefenderForStorageV2Plan. “Not Available” indicates that the required plan is not enabled. The Containers Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender for Containers Plan on the subscription, and the Container resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The Agentless capability Container Registries VA is available with both the Defender For Containers Plan and Defender CSPM Plan. “Not Available” indicates that the required plan is not enabled. The Devops Tab - displays the Github Connectors and Azure Devops Connectors onboarded to the subscription The Github repositories that need to be enabled for Code Scanning, Secret scanning, Depandabot scanning are displayed. Click on “Unhealthy” status to enable scanning. You are directed to the relevant Recommendation. Select the Unhealthy resources and assign Owner to remediate the Recommendation. The AWS Tab - displays the the AWS Connectors deployed in the subscription, yhe status of the Defender Plans on the AWS Connector. You can click on the status of the Defender Plan to On/Off on the Connector. AWS Agentless capabilities like "Agentless VM scanning", "Data Sensitivity Discovery" are displayed. You are directed to the AWS Defender plans blade. You can edit the Defender plan on the AWS connector and click on “Configure access” When the Defender Plan settings are edited on the AWS connector, you need to download the cloud formation template and update the AWS environment. This is a required step to reflect your changes on the AWS connector, to the AWS environment. The GCP Tab - displays the the GCP Connectors deployed in the subscription, the status of the Defender Plans on the GCP Connector. You can click on the status of the Defender Plan to On/Off on the Connector. You are directed to the GCP Defender plans blade. You can edit the Defender plan on the GCP connector and click on “Configure access” and “Update” How to Deploy The Defender for Cloud Onboarding Workbook is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its Defender for Cloud Onboarding Workbook V2 The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page. Additional Resources To learn more about Microsoft Defender for Cloud, visit: https://aka.ms/ascninja To learn about Microsoft Defender for Cloud workbooks, visit: https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks Acknowledgements Many thanks to Yuri Diogenes & Safeena Begum in supporting my initiative and suggesting feedbacks.Unlocking API visibility: Defender for Cloud Expands API security to Function Apps and Logic Apps
APIs are the front door to modern cloud applications and increasingly, a top target for attackers. According to the May 2024 Gartner® Market Guide for API Protection: “Current data indicates that the average API breach leads to at least 10 times more leaked data than the average security breach.” This makes comprehensive API visibility and governance a critical priority for security teams and cloud-first enterprises. We’re excited to announce that Microsoft Defender for Cloud now supports API discovery and security posture management for APIs hosted in Azure App Services, including Function Apps and Logic Apps. In addition to securing APIs published behind Azure API Management (APIM), Defender for Cloud can now automatically discover and provide posture insights for APIs running within serverless functions and Logic App workflows. Enhancing API security coverage across Azure This new capability builds on existing support for APIs behind Azure API Management by extending discovery and posture management to APIs hosted directly in compute environments like Azure Functions and Logic Apps, areas that often lack centralized visibility. By covering these previously unmonitored endpoints, security teams gain a unified view of their entire API landscape, eliminating blind spots outside of the API gateway. Key capabilities API discovery and inventory Automatically detect and catalog APIs hosted in Function Apps and Logic Apps, providing a unified inventory of APIs across your Azure environment. Shadow API identification Uncover undocumented or unmanaged APIs that lack visibility and governance—often the most vulnerable entry points for attackers. Security posture assessment Continuously assess APIs for misconfigurations and weaknesses. Identify unused or unencrypted APIs that could increase risk exposure. Cloud Security Explorer integration Investigate API posture and prioritize risks using contextual insights from Defender for Cloud’s Cloud Security Explorer. Why API discovery and security are critical for CNAPP For security leaders and architects, understanding and reducing the cloud attack surface is paramount. APIs, especially those deployed outside of centralized gateways, can become dangerous blind spots if they’re not discovered and governed. Modern cloud-native applications rely heavily on APIs, so a Cloud-Native Application Protection Platform (CNAPP) must include API visibility and posture management to be truly effective. By integrating API discovery and security into the Defender for Cloud CNAPP platform, this new capability helps organizations: Illuminate hidden risks by discovering APIs that were previously unmanaged or unknown. Reduce the attack surface by identifying and decommissioning unused or dormant APIs. Strengthen governance by extending API visibility beyond traditional API gateways. Advance to holistic CNAPP coverage by securing APIs alongside infrastructure, workloads, identities, and data. Availability and getting started This new API security capability is available in public preview to all Microsoft Defender for Cloud Security Posture Management (CSPM) customers at no additional cost. If you’re already using Defender for Cloud’s CSPM features, you can start taking advantage of API discovery and posture management right away. To get started, simply enable the API Security Posture Management extension in your Defender for Cloud CSPM settings. When enabled, Defender for Cloud scans Function App and Logic App APIs in your subscriptions, presenting relevant findings such as security recommendations and posture insights in the Defender for Cloud portal. Helpful resources Enable the API security posture extension Learn more in the Defender for Cloud documentationCloud security innovations: strengthening defenses against modern cloud and AI threats
In today’s fast-paced digital world, attackers are more relentless than ever, exploiting vulnerabilities and targeting cloud environments with unprecedented speed and sophistication. They are taking advantage of the dynamic nature of cloud environments and silos across security tools to strike opportunistically and bypass boundaries between endpoints, on-premises and cloud environments. With the rise of Gen AI, security complexities are only growing, further testing the limits of traditional cloud security measures and strategies. Protecting multicloud environments requires vigilance not only within each cloud instance but also across interconnected networks and systems. For defenders, the challenge lies in keeping pace with attackers who operate with lightning speed. To stay ahead, they need tools that enable rapid risk prioritization and targeted remediation, reducing unnecessary toil and aligning security efforts with business objectives. The key to defending today’s cloud landscapes is a risk-driven approach and a unified security platform that spans all domains across their organization. This approach integrates automation to streamline security operations, allowing teams to focus on critical threats. With these capabilities, defenders can protect dynamic multicloud environments with the agility and insight needed to counter the sophisticated and evolving tactics of modern attackers. Our integrated cloud-native application platform (CNAPP) provides complete security and compliance from code to runtime. Enhanced by generative AI and threat intelligence, it helps protect your hybrid and multicloud environments. Organizations can enable secure development, minimize risks with contextual posture management, and protect workloads and applications from modern threats in Microsoft’s unified security operations platform. Today, we’re thrilled to announce new innovations in Defender for Cloud to accelerate comprehensive protection with a multi-layered risk-driven approach allowing security teams to focus on the most critical threats. We’re also excited to introduce new features that make SecOps teams more efficient, allowing them to detect and respond to cloud threats in near real-time with the enhanced Defender XDR integration. Unlock advanced risk prioritization with true code-to-runtime reachability As we continue to expand our existing partner ecosystem, Microsoft Defender for Cloud’s integration with Endor Labs brings code reachability analysis directly to the Defender for Cloud portal, advancing code-to-runtime context and risk prioritization efforts significantly. Traditional AppSec tools generate hundreds to thousands of vulnerability findings, while less than 9.5% are truly exploitable within an application’s context, according to a recent study conducted by Endor Labs. These vulnerabilities belong to parts of the code that can be accessed and executed in runtime – aka reachable code vulnerabilities. Without this precise context of what is reachable, teams face an unsustainable choice: spend extensive time researching each finding or attempt to fix all vulnerabilities, leading to inefficiencies. Endor Labs provides a reachability-based Software Composition Analysis (SCA), and with the Defender for Cloud integration, deploying and configuring this SCA is streamlined. Once active, security engineers gain access to code-level reachability analysis for every vulnerability, from build to production, including visibility into reachable findings where an attack path exists from the developer’s code through open-source dependencies to a vulnerable library or function. With these insights, security teams can accurately identify true threats, prioritizing remediation based on the likelihood and impact of exploitation. Defender for Cloud already has robust risk prioritization based on multiple risk factors including internet exposure, sensitive data exposure, access and identity privileges, business risk and more. Endor Lab’s code reachability adds another robust layer of risk prioritization to reduce noise and productivity tax associated with maintaining multiple security platforms, offering streamlined and efficient protection for today’s complex multicloud environments. Figure 1: Risk prioritization with an additional layer of code reachability analysis New enhancements to cloud security posture management with additional API, Containers, and AI grounding data insights Defender for Cloud has made a series of enhancements to its cloud security posture management (CSPM) capabilities, starting with the general availability of AI Security Posture Management (AI-SPM). AI-SPM capabilities help identify vulnerabilities and misconfigurations in generative AI applications using Azure OpenAI, Azure Machine Learning, and Amazon Bedrock. We have also added expanded support for AWS AI technologies, new recommendations, and detailed attack paths, enhancing the discovery and mitigation of AI-related risks. Additionally, enriched AI grounding data insights provide context to data in AI applications, helping prioritize risks to datastores through tailored recommendations and attack paths. We have also included API security posture management in Defender CSPM at no additional cost. With these new capabilities, security teams can automatically map APIs to their backend compute hosts, helping organizations to visualize their API topology and understand the flow of data through APIs to identify sensitive data exposure risks. This allows security teams to see full API-led attack paths and take proactive measures against potential threats such as lateral movement and data exfiltration risks. Additionally, expanded sensitive data classification now includes API URL paths and query parameters, enhancing the ability to track and mitigate data-in-transit risks. Alongside API security enhancements, Defender for Cloud has also bolstered its container security posture capabilities. These advancements ensure continuous visibility into vulnerabilities and compliance from development through deployment. Security teams can shift left by scanning container images for vulnerabilities early in the CI/CD pipeline across multicloud and private registries, including Docker Hub and JFrog Artifactory. Additionally, the public preview of full multicloud regulatory compliance assessment for CIS Kubernetes Benchmarks across Amazon EKS, Azure Kubernetes Service, and Google Kubernetes Engine provides a robust framework for securing Kubernetes environments. Elevate cloud detection and response capabilities with enhanced monitoring, forensics, and cloud-native response actions The latest advancements in the integration between Defender for Cloud and Defender XDR bring a new level of protection against sophisticated threats. One notable feature is the near real-time detection for containers, which provides a detailed view of every step an attacker takes before initiating malicious activities like crypto mining or sensitive data exfiltration. Additionally, the Microsoft Kubernetes threat matrix, developed by Microsoft security researchers, provides valuable insights into specific attack techniques, enhancing the overall security incident triaging. To complement real-time detection, we are introducing a new threat analytics report that offers a comprehensive investigation of container-related incidents, helping security teams understand the potential attack methods that attackers could leverage to infiltrate containers. It also contains threat remediation suggestions and advanced hunting techniques. Figure 2. Cloud detection and response with Defender for Cloud and Defender XDR integration The introduction of new cloud-native response actions significantly aids in putting the investigation results into action or remediation. With a single click, analysts can isolate or terminate compromised Kubernetes pods, with all actions tracked in the Investigation Action Center for transparency and accountability. The new Security Copilot assisted triage and response actions helps analysts make informed decisions faster during an investigation. In all, these advancements, coupled with the seamless integration of cloud process events for threat hunting, empower security teams to respond quickly and effectively to threats, ensuring robust protection for their digital environments. Empowering defenders to stay ahead Defender for Cloud empowers security teams to stay ahead of attackers with a comprehensive code to runtime protection. With a focus on speed, efficiency, and efficacy, defenders can keep their cloud environments secure and resilient in the face of evolving threats. To learn more about Defender for Cloud and our new innovations, you can: Check out our cloud security solution page. Join us at Ignite. Learn how you can unlock business value with Defender for Cloud. See it in action with a cloud detection and response use-case. Start a 30-day free trial.
