CrowdStrike + Okta EDR Compliance Validation

Overview

A scheduled compliance playbook that cross-references every active Okta user against the list of devices enrolled in CrowdStrike Falcon. Any user without a running EDR agent is flagged in a daily Slack report so the IT and security teams can follow up. Essential for maintaining security baselines and proving compliance for audits.

Who this is for: SecOps and IT compliance teams enforcing EDR coverage across Okta-managed workforces

Why automate this

EDR coverage gaps are invisible until an incident happens. This playbook makes them visible every day, turning a passive control into an active compliance metric. Useful for SOC 2, ISO 27001, and CMMC audits that require demonstrable EDR enforcement.

How it works

1. 01

   Scheduled trigger runs every morning at 7am

2. 02

   Fetch all active Okta users and their associated device serial numbers

3. 03

   Query the CrowdStrike Falcon API for enrolled device IDs

4. 04

   Compare the two lists to find users without agents

5. 05

   Format a compliance report with user names, emails, and device details

6. 06

   Post the report to a Slack compliance channel with non-compliant count

7. 07

   Track trends over time by logging metrics to your monitoring store

Impact

• Daily visibility into EDR coverage across the entire workforce

• Audit-ready compliance evidence for SOC 2 and ISO 27001

• Catches forgotten devices, offboarded users, and agent failures

• Self-service remediation via Slack notifications