Notice
Requires the Data Collection add-on.
Integrate Azure APIM with Cortex XDR to start scanning its APIs for potential threats and vulnerabilities.
You need to set up a policy that enables you to customize the behavior of managed APIs. You can configure the sending of HTTP request/response data to Cortex XDR. The data is saved and analyzed by API security modules, which provide information on the security risks associated with the APIs.
Note
Microsoft Azure APIM service must be running before starting to configure the integration.
Configure an inbound and outbound policy to send HTTP traffic data of the APIs to Cortex XDR. You can configure a policy for individual operations (endpoints) or all operations of a single API.
Follow the steps to configure the policy.
Log in to Microsoft Azure.
Go to API Management services and select the relevant service.
From the left-hand menu, select → .
Note
From the URL, save the UUID and the resource group -
/resource/subscriptions/<UUID>/resourceGroups/<ResourceGroup>.The UUID is the Azure account/subscription ID and the resource group, which is the group where the APIM Service is defined.
Configure the settings in each of the sections. Follow the steps in the order they are listed.
Note
Use the search to navigate to the specific section.
Named values: Add the values:
cloud-account-id
Type: Plain
Value: The UUID you saved from the previous step.
cloud-resource-group
Type: Plain
Value: The resource group you saved from the previous step.
cortex-api-key
Type: Secret
Value: The token that you saved from data sources in Cortex.
cortex-api-url
Type: Plain
Value: The API URL from data sources in Cortex.
cortex-http-body-size-limit-bytes
Type: Plain
Value: 131072
Note
131072 bytes = 128 KB. This value determines the size (in bytes) of request and response bodies to send to Cortex. Any bytes beyond this limit are truncated.
APIs: From the left-hand menu, go to → .
You can create a policy on a specific API or choose to create a policy on all APIs.
From Inbound Processing, click
.The Policies screen opens. There are three sections:
<inbound><backend><outbound>
The
<inbound>includes the request before it's sent to the<outbound>. The parameters are saved before they're sent.Add the following inside the
<inbound>:<!-- Save the request body and headers to be sent to Cortex. This should always be placed at the very beginning of the inbound element. --> <set-variable name="requestBody" value="@((context.Request?.Body?.As<string>(preserveContent: true)) ?? string.Empty)" /> <set-variable name="requestHeaders" value="@(JsonConvert.SerializeObject(context.Request.Headers))" /> <!-- End of setting variables for sending to Cortex --><!-- Save the request body and headers to be sent to Cortex. This should always be placed at the very beginning of the inbound element. --> <set-variable name="requestBody" value="@((context.Request?.Body?.As<string>(preserveContent: true)) ?? string.Empty)" /> <set-variable name="requestHeaders" value="@(JsonConvert.SerializeObject(context.Request.Headers))" /> <!-- End of setting variables for sending to Cortex -->Note
If any other inbound policies should be added, they must be added after these elements.
The
<outbound>includes the request before it returns a response.Add the following inside the <outbound> element, at the end, after the other child elements:
<!-- Send data to Cortex. This should always be placed at the very end of the outbound element. --> <send-request mode="new" response-variable-name="mirrorMessage"> <set-url>{{cortex-api-url}}</set-url> <set-method>POST</set-method> <set-header name="Content-Type" exists-action="override"> <value>application/json</value> </set-header> <set-header name="Authorization" exists-action="override"> <value>{{cortex-api-key}}</value> </set-header> <set-body>@{ string requestBody = context.Variables.GetValueOrDefault<string>("requestBody"); string responseBody = context.Response.Body.As<string>(preserveContent: true); int bodySizeLimit = {{cortex-http-body-size-limit-bytes}}; bool requestBodySizeExceedsLimit = requestBody.Length > bodySizeLimit; bool responseBodySizeExceedsLimit = responseBody.Length > bodySizeLimit; return JsonConvert.SerializeObject(new { accountId = "{{cloud-account-id}}", serviceId = context.Deployment.ServiceId, requestId = context.RequestId, url = context.Request.OriginalUrl, httpMethod = context.Request.Method, requestBody = requestBodySizeExceedsLimit ? requestBody.Substring(0, bodySizeLimit) : requestBody, requestBodyTruncated = requestBodySizeExceedsLimit, requestHeaders = JsonConvert.DeserializeObject(context.Variables.GetValueOrDefault<string>("requestHeaders")), timestamp = new DateTimeOffset(context.Timestamp).ToUnixTimeMilliseconds(), requestIpAddress = context.Request.IpAddress, statusCode = context.Response.StatusCode, responseBody = responseBodySizeExceedsLimit ? responseBody.Substring(0, bodySizeLimit) : responseBody, responseBodyTruncated = responseBodySizeExceedsLimit, responseHeaders = context.Response.Headers, region = context.Deployment.Region, subscription = context.Subscription, }); } </set-body> </send-request> <!-- End of sending data to Cortex -->Important
If you want to add additional data to the <outbound>, add it at the start of the <outbound> code.
Click Save. Your APIM traffic collection is now configured.
Request and response data for the configured endpoints are sent to Cortex XDR for inspection by API security modules.
Go to Azure API Management data source to validate that data is ingested from Azure APIM.
Do the following to remove the integration of Azure APIM with Cortex XDR:
Remove the snippets you added to the policies.
Remove the named values from the API service.
Delete the HTTP log collector from Data Sources & Integrations in Cortex.