last sync: 2024-Apr-24 17:46:58 UTC

Microsoft Defender for APIs should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Defender for APIs should be enabled
Id 7926a6d1-b268-4586-8197-e8ae90c877d7
Version 1.0.3
Details on versioning
Category Security Center
Microsoft Learn
Description Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/pricings/pricingTier Microsoft.Security pricings properties.pricingTier false
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 5 compliance controls are associated with this Policy definition 'Microsoft Defender for APIs should be enabled' (7926a6d1-b268-4586-8197-e8ae90c877d7)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-1 Azure_Security_Benchmark_v3.0_DP-1 Microsoft cloud security benchmark DP-1 Data Protection Discover, classify, and label sensitive data Shared **Security Principle:** Establish and maintain an inventory of the sensitive data, based on the defined sensitive data scope. Use tools to discover, classify and label the in- scope sensitive data. **Azure Guidance:** Use tools such as Azure Purview, Azure Information Protection and Azure SQL Data Discovery and Classification to centrally scan, classify and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations. **Implementation and additional context:** Data classification overview: https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification Label your sensitive data using Azure Purview: https://docs.microsoft.com/azure/purview/create-sensitivity-label Tag sensitive information using Azure Information Protection: https://docs.microsoft.com/azure/information-protection/what-is-information-protection How to implement Azure SQL Data Discovery: https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification Azure Purview data sources: https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources n/a link 1
Azure_Security_Benchmark_v3.0 DP-2 Azure_Security_Benchmark_v3.0_DP-2 Microsoft cloud security benchmark DP-2 Data Protection Monitor anomalies and threats targeting sensitive data Shared **Security Principle:** Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. **Azure Guidance:** Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Use Azure Defender for Storage, Azure Defender for SQL and Azure Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. Note: If required for compliance of data loss prevention (DLP), you can use a host based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. **Implementation and additional context:** Enable Azure Defender for SQL: https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql Enable Azure Defender for Storage: https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center n/a link 6
Azure_Security_Benchmark_v3.0 IR-3 Azure_Security_Benchmark_v3.0_IR-3 Microsoft cloud security benchmark IR-3 Incident Response Detection and analysis - create incidents based on high-quality alerts Shared **Security Principle:** Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. **Azure Guidance:** Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. **Implementation and additional context:** How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center n/a link 17
Azure_Security_Benchmark_v3.0 IR-5 Azure_Security_Benchmark_v3.0_IR-5 AMicrosoft cloud security benchmark IR-5 Incident Response Detection and analysis - prioritize incidents Shared **Security Principle:** Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. **Azure Guidance:** Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. **Implementation and additional context:** Security alerts in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags n/a link 17
Azure_Security_Benchmark_v3.0 LT-1 Azure_Security_Benchmark_v3.0_LT-1 Microsoft cloud security benchmark LT-1 Logging and Threat Detection Enable threat detection capabilities Shared **Security Principle:** To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. **Azure Guidance:** Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure services. For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monitor or Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and vulnerabilities. For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Azure Sentinel. **Implementation and additional context:** Introduction to Azure Defender: https://docs.microsoft.com/azure/security-center/azure-defender Microsoft Defender for Cloud security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence n/a link 20
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-11-06 19:40:47 change Patch, old suffix: preview (1.0.2-preview > 1.0.3)
2023-04-17 17:42:20 change Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
2023-01-13 18:06:06 change Patch, new suffix: preview (1.0.0 > 1.0.1-preview)
2022-08-26 16:33:38 add 7926a6d1-b268-4586-8197-e8ae90c877d7
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC