Drata

CrowdStrike is an Endpoint Detection and Response (EDR) platform that provides real-time threat detection, automated response, and forensic investigation. Connecting CrowdStrike to Drata allows you to collect antivirus and device health compliance evidence for your devices.

Connect only one CrowdStrike account per Drata workspace.

Install CrowdStrike Falcon on all devices you want Drata to monitor.

Create a CrowdStrike API client with the following scope:

Set up an MDM connection in Drata (e.g., Jamf, Intune, Kandji) or install the Drata Agent on devices

- Provides the device serial numbers Drata needs to link with CrowdStrike.

- Connect only one CrowdStrike account per Drata workspace.
- Install CrowdStrike Falcon on all devices you want Drata to monitor.
- Create a CrowdStrike API client with the following scope:
 - Hosts permission with Read enabled.
- Set up an MDM connection in Drata (e.g., Jamf, Intune, Kandji) or install the Drata Agent on devices
 - Provides the device serial numbers Drata needs to link with CrowdStrike.

___________________________________________________________

Log in to your CrowdStrike Falcon admin console.

Go to Support and Resources &gt; Resources and Tools &gt; API Clients and Keys.

In the API Clients and Keys window, select OAuth2 API Clients &gt; Create API Client.

- Name: Drata Integration
- Description: (optional)

Enable Read for the Hosts permission.

- Client ID
- Client Secret
- Base URL (depends on your CrowdStrike cloud region, e.g. <code>https://api.crowdstrike.com</code>, <code>https://api.us-2.crowdstrike.com</code>, or <code>https://api.eu-1.crowdstrike.com</code>).

1. Log in to your CrowdStrike Falcon admin console.
2. Go to Support and Resources &gt; Resources and Tools &gt; API Clients and Keys.
3. In the API Clients and Keys window, select OAuth2 API Clients &gt; Create API Client.
4. Enter:
 - Name: Drata Integration
 - Description: (optional)
5. Enable Read for the Hosts permission.
6. Save and copy the generated values:
 - Client ID
 - Client Secret
 - Base URL (depends on your CrowdStrike cloud region, e.g. <code>https://api.crowdstrike.com</code>, <code>https://api.us-2.crowdstrike.com</code>, or <code>https://api.eu-1.crowdstrike.com</code>).

In Drata, go to Connections (left navigation).

Select the Available Connections tab.

Search for CrowdStrike and click Connect.

1. In Drata, go to Connections (left navigation).
2. Select the Available Connections tab.
3. Search for CrowdStrike and click Connect.
4. Enter the values from your API client:
 - Base URL
 - Client ID
 - Client Secret
5. Select Save Connection.

After connecting, Test 64: Malware Detection Software Installed on Employee Computers is automatically enabled.

Go to Connections &gt; Active Connections.

Locate your CrowdStrike connection and select Review Linked Devices.

1. Go to Connections &gt; Active Connections.
2. Locate your CrowdStrike connection and select Review Linked Devices.

Devices with matches are linked and marked compliant.

Devices without matches appear unlinked; you can manually link them.

- Devices with matches are linked and marked compliant.
- Devices without matches appear unlinked; you can manually link them.

Test 64: Malware Detection Software Installed

This test runs automatically after connecting CrowdStrike. It verifies that the CrowdStrike Falcon agent is installed and active.

To view results, go to the Monitoring page and search for Malware Detection Software Installed on Employee Computers.

- Empty serial number column → device is not linked.
- Prevention policy = false → device is unprotected.

See Test: Malware Detection Software Installed for remediation steps.

- To view results, go to the Monitoring page and search for Malware Detection Software Installed on Employee Computers.
- If the test fails:
 - Empty serial number column → device is not linked.
 - Prevention policy = false → device is unprotected.
- You can export failed devices as a CSV.
- See Test: Malware Detection Software Installed for remediation steps.

You can also exclude devices from this test by:

<a href="https://help.drata.com/en/articles/8157137-personnel-exclusion">Excluding the associated Personnel</a>, or

- <a href="https://help.drata.com/en/articles/8157137-personnel-exclusion">Excluding the associated Personnel</a>, or
- Unlinking the device.

Personnel Page → Filter by Device compliance. CrowdStrike data appears under Antivirus.

- Personnel Page → Filter by Device compliance. CrowdStrike data appears under Antivirus.

Assets Page → Filter by Class = Hardware. Device compliance reflects CrowdStrike antivirus data.

- Assets Page → Filter by Class = Hardware. Device compliance reflects CrowdStrike antivirus data.

Go to Connections &gt; Active Connections &gt; Review Linked Devices.

Drata displays a table showing your devices.

If the CrowdStrike device name column is empty, the device is unlinked.

In that column, select the appropriate CrowdStrike device for the Drata device and save your changes.

1. Go to Connections &gt; Active Connections &gt; Review Linked Devices.
2. Drata displays a table showing your devices.
3. If the CrowdStrike device name column is empty, the device is unlinked.
4. In that column, select the appropriate CrowdStrike device for the Drata device and save your changes.

If all devices are linked but Test 64 still considers them failing, contact Drata Support.

CrowdStrike Connection (EDR)

Home

Contact Sales

Support

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

CrowdStrike Connection (EDR)

Prerequisites

Create an API Client in CrowdStrike

Connect CrowdStrike in Drata

Verify the Connection

Test 64: Malware Detection Software Installed

Where to View Device Data

Troubleshooting