CrowdStrike is an Endpoint Detection and Response (EDR) platform that provides real-time threat detection, automated response, and forensic investigation. Connecting CrowdStrike to Drata allows you to collect antivirus and device health compliance evidence for your devices.
Prerequisites
Connect only one CrowdStrike account per Drata workspace.
Install CrowdStrike Falcon on all devices you want Drata to monitor.
Create a CrowdStrike API client with the following scope:
Hosts permission with Read enabled.
Set up an MDM connection in Drata (e.g., Jamf, Intune, Kandji) or install the Drata Agent on devices
Provides the device serial numbers Drata needs to link with CrowdStrike.
Create an API Client in CrowdStrike
Log in to your CrowdStrike Falcon admin console.
Go to Support and Resources > Resources and Tools > API Clients and Keys.
In the API Clients and Keys window, select OAuth2 API Clients > Create API Client.
Enter:
Name: Drata Integration
Description: (optional)
Enable Read for the Hosts permission.
Save and copy the generated values:
Client ID
Client Secret
Base URL (depends on your CrowdStrike cloud region, e.g.
https://api.crowdstrike.com
,https://api.us-2.crowdstrike.com
, orhttps://api.eu-1.crowdstrike.com
).
Connect CrowdStrike in Drata
In Drata, go to Connections (left navigation).
Select the Available Connections tab.
Search for CrowdStrike and click Connect.
Enter the values from your API client:
Base URL
Client ID
Client Secret
Select Save Connection.
After connecting, Test 64: Malware Detection Software Installed on Employee Computers is automatically enabled.
Verify the Connection
Go to Connections > Active Connections.
Locate your CrowdStrike connection and select Review Linked Devices.
Devices are matched by serial number:
Devices with matches are linked and marked compliant.
Devices without matches appear unlinked; you can manually link them.
Test 64: Malware Detection Software Installed
This test runs automatically after connecting CrowdStrike. It verifies that the CrowdStrike Falcon agent is installed and active.
To view results, go to the Monitoring page and search for Malware Detection Software Installed on Employee Computers.
If the test fails:
Empty serial number column → device is not linked.
Prevention policy = false → device is unprotected.
You can export failed devices as a CSV.
See Test: Malware Detection Software Installed for remediation steps.
You can also exclude devices from this test by:
Unlinking the device.
Where to View Device Data
Personnel Page → Filter by Device compliance. CrowdStrike data appears under Antivirus.
Assets Page → Filter by Class = Hardware. Device compliance reflects CrowdStrike antivirus data.
Troubleshooting
Manually Link a Device
Go to Connections > Active Connections > Review Linked Devices.
Drata displays a table showing your devices.
If the CrowdStrike device name column is empty, the device is unlinked.
In that column, select the appropriate CrowdStrike device for the Drata device and save your changes.
If all devices are linked but Test 64 still considers them failing, contact Drata Support.