Try it free

Ingest CrowdStrike detection findings

  • Latest Dynatrace
  • Extension
  • Published May 18, 2026

This page aligns with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

Ingest endpoint detection findings from the CrowdStrike Falcon platform into Dynatrace as security events. Dynatrace enriches each finding with runtime context from the affected hosts, so you can filter and prioritize detections that affect production systems.

Get started

Overview

The integration ingests detection findings from CrowdStrike Endpoint Security (part of the CrowdStrike Falcon platform) into Dynatrace. Findings are stored as security events alongside vulnerabilities and threats from other sources, which lets you analyze and prioritize them in a single place.

Use cases

With the ingested data, you can accomplish various use cases, such as

  • Visualize and analyze security findings
  • Discover coverage gaps in security findings
  • Automate and orchestrate security findings

Requirements

CrowdStrike requirements

  • A CrowdStrike Falcon Enterprise subscription (or higher) for the security capabilities used by this integration, including:

    • Endpoint Detection and Response

  • CrowdStrike API client (OAuth2) credentials for authentication. The API client must be granted the following API scopes:

    • Alerts: Read

Dynatrace requirements

  • ActiveGate version 1.310+ that must

    • Run the Extensions 2.0 framework
    • Reach the CrowdStrike APIs

  • Permissions: For required permissions, open Hub, select Extensions Extensions, then open the Technical information tab.

  • Generate an access token with the openpipeline.events_security scope and save it for later. For details, see Dynatrace API - Tokens and authentication.

Activation and setup

  1. In Dynatrace, open Hub.

  2. Look for CrowdStrike and select Install.

  3. Follow the on-screen instructions to configure the extension.

  4. To verify the configuration, run the following query in Notebooks Notebooks:

    fetch security.events
    | filter dt.system.bucket=="default_securityevents"
    | filter event.provider=="CrowdStrike"
        AND event.type=="DETECTION_FINDING"

  5. After installation, you can access and manage the extension in Extensions Extensions. For details, see About Extensions.

Details

How it works

How ingest of CrowdStrike detection findings works
How ingest of CrowdStrike detection findings works

The integration runs as an extension on Dynatrace ActiveGate. After you enable and configure the extension:

  1. It periodically polls the CrowdStrike APIs for detection findings.
  2. Dynatrace maps the fetched data to the Dynatrace Semantic Dictionary.
  3. Dynatrace stores the data in the default_securityevents bucket (for details, see Built-in Grail buckets).

Licensing and cost

For billing information, see Events powered by Grail.

FAQ

Which CrowdStrike products does Dynatrace integrate with?

This integration ingests detection findings from the following product:

  • CrowdStrike Endpoint Detection and Response

Which data model is used for the security events coming from CrowdStrike?

Detection finding events store the individual detection findings per affected endpoint, represented by a CrowdStrike resource.

Which CrowdStrike security findings does Dynatrace import?

The integration ingests endpoint detections from CrowdStrike Endpoint Detection and Response.

  • On the first ingest, Dynatrace fetches detections generated in the last m days, where m is set by the Security events initial fetch time window option in the monitoring configuration.

  • On subsequent runs, the extension checks for new detections every n minutes, where n is set by the Security events ingest frequency option in the monitoring configuration.

  • Only new and updated findings are ingested.

Which extension fields are added to the core fields of events ingested from CrowdStrike?

The crowdstrike namespace is added for CrowdStrike-specific attributes on top of the core security event schema. The full upstream payload is stored in event.original_content.

Example fields:

  • crowdstrike.agent_id: Unique identifier of the CrowdStrike Falcon agent (sensor) installed on the affected host.
  • crowdstrike.cid: Customer ID (CID) that uniquely identifies the CrowdStrike Falcon tenant/account.
  • crowdstrike.confidence: Confidence level indicating how certain CrowdStrike is that the detected activity is malicious.
  • crowdstrike.prevention_policy_id: Unique identifier of the prevention policy associated with the detection event.
  • crowdstrike.prevention_policy_name: Name of the CrowdStrike prevention policy applied to the endpoint where the detection occurred.
  • crowdstrike.priority_value: Numeric severity or priority score assigned to the detection by CrowdStrike.
  • crowdstrike.type: CrowdStrike-assigned category for the detection (for example, the type of alert or detection event).

How is risk score normalized for CrowdStrike detections?

Dynatrace normalizes severity and risk scores for all findings ingested through this integration. This helps you prioritize findings consistently, regardless of their source. For details, see Severity and score normalization.

  • dt.security.risk.level is mapped from the CrowdStrike severity (finding.severity) returned by the detection API.

  • dt.security.risk.score is normalized from the CrowdStrike detection score (0-100) onto the Dynatrace 10-point risk scale using a weighted severity mapping.

CrowdStrike scoredt.security.risk.leveldt.security.risk.score

80-100

Critical -> CRITICAL

9.0-10.0

60-79

High -> HIGH

7.0-8.9

40-59

Medium -> MEDIUM

4.0-6.9

20-39

Low -> LOW

0.1-3.9

0-19

Informational -> NONE

0.0

Related topics

  • OpenPipeline
  • Dynatrace Query Language
  • Security events
Related tags
SecuritySecurityCrowdStrikePythonThreat Observability