Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 8.1.2.1 Ensure Microsoft Defender for APIs is set to 'On'

Description

Microsoft Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Due to its potentially high cost, Microsoft Defender for APIs may not be suitable for all environments and should be evaluated carefully before implementation.

Microsoft Defender for APIs helps provide visibility into business-critical APIs, assess and improve their security posture, prioritize vulnerability remediation, and detect threats in real time.

Remediation

Remediate from Azure Portal

  1. Go to Microsoft Defender for Cloud.
  2. Under Management, click Environment settings.
  3. Click the name of a subscription.
  4. Select the Defender plans blade.
  5. Under Cloud Workload Protection (CWP), in the row for APIs, set the toggle switch for Status to On.
  6. Select a plan.
  7. Click Save to save the plan selection.
  8. Click Save to enable Defender for APIs.

Remediate from Azure CLI

Run the following command to enable Defender for APIs:

az security pricing create --name Api --tier Standard --subplan <subplan>

Valid subplan values: P1, P2, P3, P4, and P5.

Remediate from PowerShell

Run the following command to enable Defender for APIs:

Set-AzSecurityPricing -Name Api -PricingTier Standard -SubPlan <subplan>

Valid SubPlan values: P1, P2, P3, P4, and P5

Default Value

Defender for APIs is disabled by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_8_1_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_8_1_2_1 --share

SQL

This control uses a named query:

select
  p.id as resource,
  case
    when p.name = 'Api' and p.pricing_tier = 'Standard' then 'ok'
    else 'alarm'
  end as status,
  case
    when p.name = 'Api' and p.pricing_tier = 'Standard'
      then 'Microsoft Defender for APIs is enabled with ' || p.pricing_tier || ' tier.'
    when p.name = 'Api'
      then 'Microsoft Defender for APIs is disabled, current tier: ' || p.pricing_tier || '.'
    else 'Microsoft Defender for APIs pricing not found.'
  end as reason
  
  , sub.display_name as subscription
from
  azure_security_center_subscription_pricing p
  right join azure_subscription sub on p.subscription_id = sub.subscription_id
where
  p.name = 'Api';

Tags

category = Compliance
cis = true
cis_item_id = 8.1.2.1
cis_level = 2
cis_section_id = 8.1.2
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/SecurityCenter