This chapter covers Microsoft Defender for APIs threat detection, a critical capability within Microsoft Defender for Cloud that protects APIs from OWASP Top 10 threats, authentication abuse, and data exfiltration. For the SC-200 exam, this topic appears in approximately 5-7% of questions under objective 3.1 (Plan and implement a security operations strategy for cloud services). Understanding how Defender for APIs detects threats, its integration with API Management and Logic Apps, and the specific alerts it generates is essential for passing the exam. We will dive deep into the detection mechanisms, configuration, and real-world deployment scenarios.
Jump to a section
Think of an API as the entrance to a large office building. Each request to the API is like a visitor entering the lobby. Microsoft Defender for APIs acts as a sophisticated security desk with multiple layers. First, it checks the visitor's ID (authentication token) and compares it against a list of expected visitors (API schema). It also looks for suspicious behavior: if a visitor tries to enter through a fire exit (unexpected parameter), the alarm sounds. The security desk logs every entry, noting the time, visitor ID, and which floor they went to (endpoint). Over time, the desk learns normal patterns—most visitors arrive between 8 AM and 6 PM, and they use the main entrance. If a visitor shows up at 3 AM trying to access the server room (sensitive data endpoint), the desk flags it as anomalous. Additionally, the desk has a 'hot list' of known criminals (threat intelligence) and will immediately alert if they appear. The security desk also watches for brute-force attempts: if the same person tries multiple fake IDs in quick succession, they are blocked. Finally, the desk provides a daily report to the building manager (security operations team) summarizing all incidents, allowing them to improve security policies. This continuous monitoring, learning, and alerting is exactly how Defender for APIs protects your cloud APIs from threats like injection attacks, authentication abuse, and data exfiltration.
What is Defender for APIs Threat Detection?
Microsoft Defender for APIs is a cloud-native security solution that continuously monitors your APIs (both REST and GraphQL) for malicious activity and suspicious behavior. It is part of Microsoft Defender for Cloud's workload protection plans and is specifically designed to address the unique security challenges of APIs, such as injection attacks (SQL, NoSQL, command), broken authentication, excessive data exposure, and API abuse (DDoS, scraping).
Defender for APIs does not require agents or SDKs; it works by analyzing API traffic logs from Azure API Management (APIM) and Azure App Service (for Logic Apps). It uses machine learning models trained on Microsoft's global threat intelligence to detect anomalies and known attack patterns.
How It Works Internally
When an API request is processed by Azure API Management, APIM generates diagnostic logs that contain metadata about the request: source IP, user agent, request method (GET, POST, etc.), URL path, query parameters, headers, and response status code. These logs are sent to a Log Analytics workspace (if configured) and are ingested by Defender for APIs.
Defender for APIs performs the following steps:
Schema Discovery: It automatically discovers all API endpoints defined in APIM and learns the expected request/response schemas (parameters, data types, authentication methods). This establishes a baseline of normal behavior.
2. Threat Detection: The service applies multiple detection methods: - Signature-based detection: Matches known attack patterns (e.g., SQL injection patterns like ' OR '1'='1, XSS payloads, path traversal sequences). - Anomaly detection: Uses machine learning to detect deviations from the learned baseline, such as unusual request rates, unexpected parameter values, or access from unusual geographies. - Behavioral analysis: Monitors for suspicious sequences of API calls, like credential stuffing (multiple failed authentications followed by a success) or data scraping (rapid enumeration of resource IDs). - Threat intelligence: Compares source IPs against Microsoft's threat intelligence feeds for known malicious actors (Tor exit nodes, known botnets, etc.).
Alert Generation: When a threat is detected, Defender for APIs generates a security alert in Microsoft Defender for Cloud. The alert includes the affected API endpoint, the specific request that triggered the alert, the detection technique used, and a severity level (High, Medium, Low). Alerts are correlated with other Defender for Cloud signals to provide context.
Investigation & Response: Security analysts can investigate alerts using the Defender for Cloud dashboard, which provides a timeline of events, related alerts, and recommendations for remediation (e.g., rate limiting, WAF rules, blocking IPs).
Key Components, Values, Defaults, and Timers
Log Analytics Workspace: Required for storing APIM diagnostic logs. Default retention is 30 days for free tier, but can be extended up to 730 days. Defender for APIs requires logs to be sent to a Log Analytics workspace.
Azure API Management: Must be configured to send diagnostic logs to a Log Analytics workspace. The diagnostic setting should include 'GatewayLogs' (for HTTP requests) and optionally 'WebSocketConnectionLogs'.
Defender for Cloud Pricing Tier: Defender for APIs is a plan that adds $2.50 per 1 million API calls (as of 2025). It must be enabled on the subscription level.
Alert Severity Levels: High (immediate threat), Medium (potential threat), Low (informational). Exam tip: Know that severity is determined by confidence and impact.
Detection Latency: Typically 5-15 minutes from request to alert, depending on log ingestion and processing.
Supported APIs: REST APIs in Azure API Management (including self-hosted gateways) and Logic Apps (HTTP triggers). GraphQL support is limited to signature-based detection.
Configuration and Verification Commands
To enable Defender for APIs:
Enable Defender for Cloud on your subscription (if not already).
Enable the 'Defender for APIs' plan:
az security pricing create --name 'Api' --tier 'Standard' --sub <subscription-id>Configure diagnostic settings for API Management to send logs to Log Analytics:
az monitor diagnostic-settings create --name "APIM-Defender" --resource <apim-resource-id> --workspace <workspace-id> --logs "[{\"category\":\"GatewayLogs\",\"enabled\":true}]" --metrics "[{\"category\":\"AllMetrics\",\"enabled\":true}]"Verify the integration by checking the Defender for Cloud dashboard under 'Workload protections' -> 'API security'. You should see a list of discovered API endpoints.
To view alerts:
az security alert list --subscription <subscription-id> --query "[?contains(alertDisplayName, 'API')]"Interaction with Related Technologies
Azure Web Application Firewall (WAF): Defender for APIs complements WAF. WAF blocks known attacks at the edge (OWASP Top 10), while Defender for APIs detects more complex threats (anomalies, behavioral attacks) and provides deeper investigation. WAF is recommended for blocking, Defender for APIs for detection and response.
Microsoft Sentinel: Alerts from Defender for APIs can be ingested into Sentinel for advanced correlation and automated response (SOAR). Sentinel provides a unified SIEM for all security events.
Azure Policy: Can enforce that API Management instances have diagnostic logs enabled and Defender for APIs plan active.
Microsoft Defender for Cloud Apps (MCAS): For APIs exposed to the internet, MCAS can provide additional shadow IT discovery and session control, though Defender for APIs is more focused on API-specific threats.
Exam-Relevant Details
Log Source: Only Azure API Management and Logic Apps are supported. Custom APIs hosted on VMs or AKS are not covered unless behind APIM.
Alert Types: The exam tests specific alert names: 'Suspicious API request detected', 'API endpoint under DDoS attack', 'Brute force attack on API', 'Data exfiltration via API' (example names; actual names may vary).
False Positives: The machine learning model can be tuned by providing feedback (dismissing alerts) to reduce false positives over time.
Limitations: Does not detect threats in real-time; depends on log ingestion. Cannot block requests automatically (use WAF for blocking).
Enable Defender for APIs Plan
Navigate to Microsoft Defender for Cloud -> Environment settings -> Select your subscription -> Defenders plans -> Find 'APIs' and set to 'On'. Alternatively, use Azure CLI: `az security pricing create --name 'Api' --tier 'Standard'`. This activates the detection engine for your subscription. Note: There is a cost of $2.50 per 1 million API calls. Ensure your budget allows for this. The plan must be enabled before logs can be analyzed.
Configure API Management Diagnostics
In your Azure API Management instance, go to 'Diagnostic settings' -> Add diagnostic setting. Select 'GatewayLogs' and optionally 'WebSocketConnectionLogs'. Choose 'Send to Log Analytics workspace' and select the workspace where Defender for Cloud is enabled. Also enable 'AllMetrics' for performance data. This ensures all API request metadata is sent to Log Analytics for analysis.
Verify Log Ingestion
After configuring diagnostics, wait 5-10 minutes. Then query the Log Analytics workspace: `ApiManagementGatewayLogs | take 10`. You should see log entries with fields like `ApiId`, `OperationId`, `RequestMethod`, `Url`, `ResponseCode`, `ClientIp`, `UserAgent`. If no logs appear, check that the API Management instance is receiving traffic and that diagnostic settings are correctly configured. This step confirms the data pipeline works.
Check Defender for APIs Discovery
In Defender for Cloud, go to 'Workload protections' -> 'API security'. You should see a list of discovered API endpoints. If none appear, verify that the subscription has the Defender for APIs plan enabled and that logs are flowing. Discovery may take up to 24 hours after first log ingestion. The list includes endpoint paths, methods, and authentication requirements learned from traffic.
Review Generated Alerts
After some time, go to 'Security alerts' in Defender for Cloud. Filter by 'API' in the alert name. Examples: 'Suspicious API request detected', 'API endpoint under DDoS attack'. Click an alert to see details: affected API, source IP, detection technique, and recommended actions. You can dismiss false positives or trigger automated responses via Sentinel. This step is crucial for incident response.
Enterprise Scenario 1: E-commerce Platform with Public APIs
A large e-commerce company exposes APIs for product catalog, cart, and checkout. They use Azure API Management with rate limiting and OAuth2 authentication. However, they experienced a credential stuffing attack where attackers used stolen credentials to access user accounts and place fraudulent orders. Defender for APIs detected the attack by identifying a high number of failed authentication attempts (401 responses) from a single IP range followed by successful logins. The alert 'Brute force attack on API' was generated with medium severity. The security team used the alert details to block the offending IPs in the WAF and implemented CAPTCHA for login endpoints. Configuration: They ensured all API Management logs were sent to Log Analytics and enabled the Defender for APIs plan. The detection latency was about 10 minutes, which allowed the attackers to compromise 20 accounts before the alert. The team learned to combine Defender for APIs with Azure AD Identity Protection for real-time blocking. Performance: The platform handles 50 million API calls per day; Defender for APIs cost ~$125/day (at $2.50 per million). Misconfiguration: Initially, they forgot to enable 'GatewayLogs' for all API Management instances, missing coverage for some endpoints.
Enterprise Scenario 2: Financial Services with Internal APIs
A bank uses Logic Apps with HTTP triggers to process loan applications. These APIs are internal but exposed over the internet for partner integrations. Defender for APIs detected a SQL injection attempt in a query parameter: ' OR 1=1--. The alert 'Suspicious API request detected' triggered at high severity. The bank had a WAF in front, but the WAF rule for SQL injection was not configured for the specific parameter. The alert allowed the security team to update the WAF rule and also identify that the attacker was scanning for vulnerabilities. They used the alert to trace the source IP and found it belonged to a known scanning service. They blocked the IP and added it to threat intelligence feeds. Configuration: They set up diagnostic logs for the Logic Apps (via App Service diagnostics) and enabled the Defender for APIs plan. They also integrated with Sentinel for automated response (runbook to block IP in WAF). Scale: The bank processes 1 million API calls per month; cost is minimal. Misconfiguration: They initially thought Defender for APIs would automatically block the request, but it only detects; they had to implement blocking separately.
Enterprise Scenario 3: Healthcare API for Patient Data
A healthcare provider exposes a FHIR API for patient records. They require strict compliance with HIPAA. Defender for APIs detected an anomaly: a user downloaded 10,000 patient records in 5 minutes, which was 100x the normal rate. The alert 'Data exfiltration via API' triggered at high severity. The security team investigated and found that a legitimate partner's API key was compromised. They revoked the key and alerted the partner. This detection prevented a major data breach. Configuration: They used Defender for APIs with custom anomaly detection thresholds (default thresholds are tuned for general use; they adjusted sensitivity via feedback). They also enabled auditing of all API calls. Scale: 10 million calls per month. Misconfiguration: They initially had no rate limiting on the API, so the exfiltration was possible. They implemented rate limiting after the incident.
What the SC-200 Exam Tests on Defender for APIs (Objective 3.1)
The exam focuses on your ability to plan and implement a security operations strategy for cloud services, including APIs. Specifically, you need to know:
How to enable Defender for APIs (pricing tier, prerequisites).
What data sources are used (Azure API Management gateway logs, Logic Apps).
The types of threats detected (injection, authentication abuse, DDoS, data exfiltration).
How to investigate and respond to API security alerts.
The integration points with WAF, Sentinel, and Azure Policy.
Common Wrong Answers and Why Candidates Choose Them
'Defender for APIs can block malicious requests automatically.' Many candidates assume it works like WAF. Reality: Defender for APIs is a detection-only service. It alerts but does not block. Blocking requires WAF or custom remediation.
'Defender for APIs requires an agent installed on the API server.' Candidates confuse it with Defender for Servers. Reality: It is agentless, using log analysis.
'Defender for APIs detects threats in real-time.' The exam tests that detection latency is 5-15 minutes due to log ingestion. Real-time detection is not supported.
'Defender for APIs supports any API hosted in Azure.' Only APIs behind Azure API Management or Logic Apps are supported. Custom APIs on VMs or AKS are not covered unless routed through APIM.
Specific Numbers and Terms That Appear Verbatim
Cost: $2.50 per 1 million API calls.
Log source: GatewayLogs category in Azure API Management diagnostic settings.
Alert names: 'Suspicious API request detected', 'API endpoint under DDoS attack', 'Brute force attack on API', 'Data exfiltration via API' (exact names may vary but are descriptive).
Detection techniques: Signature-based, anomaly detection, behavioral analysis, threat intelligence.
Integration: WAF (blocking), Sentinel (SIEM), Azure Policy (compliance).
Edge Cases and Exceptions
If API Management is in a different region than Log Analytics, cross-region log ingestion may increase latency.
Self-hosted gateways (on-premises) also send logs to Azure, so Defender for APIs works with them.
GraphQL APIs have limited detection (only signature-based, no anomaly detection).
If you disable diagnostic logs after enabling Defender for APIs, the service stops detecting threats but does not generate an error.
How to Eliminate Wrong Answers
When you see a question about API threat detection, first identify if the question asks about detection or blocking. If it mentions blocking, look for WAF or Azure Front Door as the answer. If it mentions detection, look for Defender for APIs. Also, look for keywords: 'logs', 'anomaly', 'machine learning' point to Defender for APIs; 'OWASP', 'rate limiting' point to WAF. Finally, remember that Defender for APIs is a plan that must be enabled; it is not automatic.
Defender for APIs is a detection-only service that alerts on threats like injection, brute force, and data exfiltration.
It requires Azure API Management diagnostic logs (GatewayLogs) sent to a Log Analytics workspace.
Detection latency is 5-15 minutes; not real-time.
Cost is $2.50 per 1 million API calls.
Integration with WAF is recommended for blocking; Defender for APIs provides the detection layer.
Only supports APIs in Azure API Management and Logic Apps (HTTP triggers).
Alerts can be ingested into Microsoft Sentinel for advanced response automation.
These come up on the exam all the time. Here's how to tell them apart.
Defender for APIs
Detection-based: generates alerts for suspicious activity.
Uses machine learning and anomaly detection to identify unknown threats.
Requires logs from Azure API Management (GatewayLogs).
Cannot block requests; only alerts.
Cost: $2.50 per 1 million API calls.
Azure WAF (Web Application Firewall)
Blocking-based: can block malicious requests at the edge.
Uses signature-based rules (OWASP Top 10) and custom rules.
Works at the network layer (Azure Front Door, Application Gateway, CDN).
Can block requests automatically based on rules.
Cost: based on policy units and data processed.
Mistake
Defender for APIs can automatically block malicious API requests.
Correct
Defender for APIs is a detection-only service. It generates alerts but does not block traffic. To block malicious requests, you need Azure WAF, API Management policies (rate limiting, IP filtering), or custom automation via Sentinel.
Mistake
Defender for APIs works for any API in Azure, including those on VMs or AKS.
Correct
Defender for APIs only supports APIs managed by Azure API Management (including self-hosted gateways) and Logic Apps with HTTP triggers. APIs hosted on VMs or AKS are not supported unless they are fronted by API Management.
Mistake
Defender for APIs provides real-time threat detection.
Correct
Detection is not real-time. There is a latency of 5-15 minutes due to log ingestion and processing time. Real-time detection is not possible with this log-based approach.
Mistake
Enabling Defender for APIs automatically configures diagnostic logs for API Management.
Correct
You must manually configure diagnostic settings in API Management to send GatewayLogs to a Log Analytics workspace. Defender for APIs does not enable this automatically.
Mistake
Defender for APIs protects against all OWASP Top 10 threats out of the box.
Correct
Defender for APIs detects a subset of OWASP threats, primarily injection, broken authentication, and excessive data exposure. For comprehensive OWASP protection, you need a WAF (e.g., Azure WAF) in addition to Defender for APIs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In Microsoft Defender for Cloud, go to 'Environment settings' -> select your subscription -> 'Defender plans' -> find 'APIs' and toggle to 'On'. You can also use Azure CLI: `az security pricing create --name 'Api' --tier 'Standard'`. Ensure you have a Log Analytics workspace configured and API Management diagnostics sending GatewayLogs to that workspace.
It detects injection attacks (SQL, NoSQL, command), authentication abuse (brute force, credential stuffing), DDoS, data exfiltration, and anomalous behavior. It uses signature-based detection, machine learning anomaly detection, behavioral analysis, and threat intelligence.
No, Defender for APIs is detection-only. It generates security alerts but does not block traffic. To block malicious requests, you should use Azure WAF, API Management policies (e.g., rate limiting, IP restriction), or automated response via Sentinel.
Yes, but with limitations. GraphQL APIs are supported only for signature-based detection (e.g., injection patterns). Anomaly detection and behavioral analysis are not available for GraphQL due to the dynamic nature of queries.
The cost is $2.50 per 1 million API calls. This is separate from the base Defender for Cloud pricing. You only pay for the number of API calls processed by the protected API Management instances.
Typically 5-15 minutes. This depends on log ingestion from API Management to Log Analytics and the processing time by Defender for APIs. It is not real-time.
Yes, if you use Azure API Management's self-hosted gateway. The gateway sends logs to Azure, and Defender for APIs can analyze them. Ensure the self-hosted gateway is configured to send logs to the same Log Analytics workspace.
You've just covered Defender for APIs Threat Detection — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?