AIDR Overview

You can use AI detection and response (AIDR) to gain visibility into generative AI usage, detect threats, and enforce policies in enterprise environments.

Requirements

Subscriptions

AIDR requires one or more subscriptions:

• AIDR for Workforce - Monitor AI activity in managed browsers with the Browser collector.
• AIDR for Agents - Monitor and control AI activity in AI-powered applications and autonomous agents using Application, Agentic, Gateway, Cloud, and OpenTelemetry collectors.

tip:

See

AIDR Collector Types for details.

These subscriptions integrate with

NextGen SIEM .

Roles and permissions

Default roles:

• AIDR Admin
  • View AIDR configuration and event logs.
  • View usage, errors, and organization-level activity logs.
  • Manage AIDR configuration, including custom filters, collectors, policies, and alias mappings.
• AIDR Viewer
  • View AIDR configuration and event logs.

Permissions for custom roles:

• AI Detection and Response
  • Manage AIDR findings and agent collectors
  • Manage AIDR findings and workforce collectors
  • Read AIDR data from LogScale
  • Read AIDR findings and agent collectors
  • Read AIDR findings and workforce collectors

Supported clouds

AIDR is available in these CrowdStrike clouds:

• US-1
• US-2
• EU-1

Cloud origins

You can access the AIDR console via the AI detection and response link in the CrowdStrike Falcon console using the CrowdStrike cloud-specific URL. The AIDR collectors on your hosts use fully qualified domain names (FQDNs) to communicate over port 443 with the AIDR APIs.

Add these public DNS names to your allowlists if your organization blocks these network communications:

US-1

Falcon console

https://falcon.crowdstrike.com

https://assets.falcon.crowdstrike.com

AIDR APIs and UI

https://api.crowdstrike.com

US-2

Falcon console

https://falcon.us-2.crowdstrike.com

https://assets.falcon.us-2.crowdstrike.com

AIDR APIs and UI

https://api.us-2.crowdstrike.com

EU-1

Falcon console

https://falcon.eu-1.crowdstrike.com

https://assets.falcon.eu-1.crowdstrike.com

AIDR APIs and UI

https://api.eu-1.crowdstrike.com

AIDR documentation

AIDR documentation is shared across all clouds:

https://aidr-docs.crowdstrike.com

Contact us

To learn more, contact us .

Capabilities

Visibility into AI activity

You can use AIDR collectors to capture AI interactions across browsers, applications, gateways, and cloud platforms. The collected telemetry includes prompts, responses, and metadata (user identities, device information, application context). You can correlate this data in dashboards and detailed logs to gain visibility into AI usage patterns across the organization. You can also view it in CrowdStrike Falcon NextGen SIEM for correlation with endpoint, network, and identity data.

LLM threat detection

You can use AIDR to detect the following risks in generative AI interactions, with optional policy enforcement:

• Prompt injection and jailbreak attempts - Adversarial prompts designed to manipulate AI behavior or bypass security controls
• Sensitive data exposure - PII, credentials, financial data, and confidential information in prompts and responses, detected using built-in patterns, natural language processing, and custom definitions
• Malicious entities - Known malicious URLs, IP addresses, and domains in AI outputs using integrated threat intelligence
• Toxic and harmful content - Violent, abusive, or harmful content in AI inputs and outputs
• Language - Language detection with optional use of an allowlist or denylist
• Topic violations - Configurable content category restrictions

How AIDR works

Collectors

Collectors gather AI telemetry from different parts of the enterprise environment. Each collector type captures AI activity from a specific layer:

• Browser - Browser extension that captures user interactions with AI provider sites (ChatGPT, Claude, Gemini, and others) in managed browsers
• Application - SDK and API integration for instrumenting internal applications with inline AI security checks
• Agentic - MCP (Model Context Protocol) Proxy that captures AI traffic between MCP clients and servers
• Gateway - Network-layer proxy integration (Kong, LiteLLM, Portkey, and others) that inspects AI traffic at API gateways
• Cloud - Cloud platform integration that ingests AI-related logs and events from supported platforms (AWS Bedrock)
• OpenTelemetry - Standardized telemetry instrumentation for collecting AI-related data from applications and services

You can configure collectors for different scenarios depending on deployment location. You can register collectors in the AIDR console and associate them with a security policy.

Policies

You can use AIDR policies to define what to detect and how to respond, then assign policies to collectors. Each policy contains two types of rules:

• Access rules - Attribute-based conditions that control how requests are processed based on metadata (user identity, device, application ID, and other attributes)
• Prompt rules - Content-based detectors that inspect prompts and responses for security risks

Each rule can be configured with an action:

1. Log - Record the interaction without intervention (monitoring mode).
2. Redact - Detect and replace sensitive content before submission or delivery (transform mode).
3. Block - Prevent the request from reaching the AI model or user (block mode).

You can configure policies in the AIDR console. See Policy configuration for details.

Visibility and analysis

You can access logs of all collected telemetry, including:

• Original prompts and AI responses
• Request metadata (timestamp, user ID, device ID, application ID, collector ID, etc.)
• Detection results (identified risks, applied actions, redacted content)

You can access logs in the AIDR console through:

• Data flows and dashboards - Visualizations of AI usage patterns, relationships, detection trends, and policy enforcement outcomes
• Logs and Findings - Detailed logs of individual AI interactions with detection context and enforcement actions
• NextGen SIEM integration - AIDR logs in CrowdStrike Falcon NextGen SIEM for correlation with other security telemetry

Use cases

Employee workforce monitoring

Security teams can deploy AIDR to monitor employee use of AI tools in managed enterprise environments. This use case applies to organizations with managed endpoints (via MDM or enterprise tools) and controlled network access (via proxies, secure web gateways, or zero trust solutions).

With AIDR, you can gain visibility into employee AI activity, detect sensitive data exposure and policy violations, and enforce content policies across managed browsers and gateways. Collector deployments may include Browser collectors on managed browsers, Gateway collectors at network proxies, and Cloud collectors for sanctioned cloud AI platforms.

AI application development

Application developers can integrate AIDR into AI-powered applications to implement inline security controls. This use case applies to internally developed AI systems, autonomous agents, customer-facing chatbots, and other AI applications requiring threat detection and policy enforcement.

With AIDR, you can instrument AI-powered applications for logging AI interactions, detecting threats in prompts and responses, and enforcing policies before data reaches AI models or users. Collector deployments may include Application collectors (via SDKs or APIs), Agentic collectors (MCP proxy), Gateway collectors at API boundaries, Cloud collectors for cloud-based AI services, and OpenTelemetry instrumentation for standardized telemetry collection.

Next steps

• Get started with AIDR - Choose between employee monitoring (Workforce) or AI application development (Agents)
• Deploy a collector
• Configure a policy
• View dashboards and logs