CrowdStrike is an EDR (Endpoint Detection and Response) platform that provides real-time threat detection and response capabilities, automated incident response, and forensic investigation capabilities. Integrate CrowdStrike to Drata to get antivirus and device health related compliance evidence for all of your devices from your approved software.
Prerequisites
Connect to an MDM (Mobile Device Management) connection type or the Drata agent before connecting CrowdStrike.
Ensure that CrowdStrike Falcon is running on the devices for which you intend to sync antivirus and device health information into Drata.
💡 Note: The MDM connection type or the Drata agent syncs device serial numbers, which are used to link the devices brought through the CrowdStrike integration. The CrowdStrike hosts' serial numbers must match the serial numbers sourced by the Drata agent or the MDM connections. If not, admins can manually link devices after successfully connecting CrowdStrike.
Drata will only provide CrowdStrike evidence for devices that are linked.
Any devices that are not linked fail the compliance test for Malware Detection Software Installed on Employee Computers (Test 64).
Create an API client and API scope with Hosts (Read).
To create API client:
Log into CrowdStrike Falcon Console.
Navigate to your API Clients and Key. You may be able to access this by selecting your username and then selecting API Client and Keys from the dropdown menu.
On the API Clients and Keys page, select the Create API client button and enter the name, descriptions, and assign permissions. Ensure to select the Read permissions for Hosts.
The API client provides the client name, client secret, and API URL which are the required fields to connect CrowdStrike to Drata.
Enable CrowdStrike
💡Note: After successfully connecting CrowdStrike, Test 64 (Test: Malware detection software installed) is automatically enabled. After connecting, review the Tests section within this article for more information.
Select Connections on the side navigation menu.
Select the Available connections tab, search for Crowdstrike, and select Connect.
You cannot connect CrowdStrike multiple times to Drata. You can only have one CrowdStrike connection.
Follow the instructions on the connection drawer.
Enter the following fields: API URL, Client ID, and Client Secret. You should have created an API client which provides the required information.
Select Save connection. If the connection is successful, a green success notification banner is displayed on your connection drawer.
Verify your connection
To verify that the connection is enabled, go to the Active connections tab and search for your connection. Select Review linked devices.
You are taken to a new page which contains a table of the CrowdStrike devices that are linked to Drata devices. These devices are matched by the device serial number. If there is no match, you can manually link the CrowdStrike devices to a Drata device.
After successful integrations, this connection provides different abilities within Drata. Learn more in the following sections.
Tests
Malware Detection Software Installed on Employee Computers (test 64) is automatically enabled after a successful connection. The test verifies if the CrowdStrike Falcon agent is running in a correct state on all devices.
Go to the Monitoring page and search for Malware Detection Software Installed on Employee Computers. If the test fails, a list of all the failed devices is displayed in the test drawer.
Verify if the column for CrowdStrike serial number is empty.
If it is empty, that means a CrowdStrike device is not linked to a Drata device and the CrowdStrike Falcon agent was not found on the Drata device (which is the hardware asset in Drata).
Verify if the Prevention policy value is false (not just empty).
If it is false, that means the prevention policy is not configured and devices are unprotected. You can download the list of failed devices as a CSV file from Malware Detection Software Installed on Employee Computers (Test 64).
To learn how to resolve issues, refer to Test: Malware Detection Software Installed.
You can exclude devices from this test by excluding the Personnel to whom the device belongs, or unlinking the device.
Personnel page
Go to the Personnel page. You can filter by Device compliance. Select the personnel and on the personnel detail drawer, scroll to the Device section. The information from CrowdStrike is displayed on the Antivirus section.
Asset page
Go to the Assets page. Filter by a Class value of Hardware.
The assets that have a Hardware class type showcase the Device compliance section. The information is based on the antivirus information from CrowdStrike.
Troubleshoot
If a Drata device is failing an antivirus test, confirm that the device is linked. You can go to the Connections page, select the Active connections tab, search CrowdStrike, and select Review linked devices. Verify if the device is linked by viewing if the column under CrowdStrike device name is empty.
If the Drata device is correctly linked to a CrowdStrike device, then reach out to Drata support.