Get Started with AIDR
AIDR (AI detection and response) helps you monitor AI usage, detect threats, and enforce policies in enterprise environments. The AI traffic is sent for processing to AIDR APIs, and a report with policy decisions is included in the response according to the configuration defined in the AIDR console. All events are logged, can be visualized and inspected in AIDR console, and analyzed in CrowdStrike Next-Gen SIEM.
In this guide, you will open the AIDR console and explore sample data on the Visibility page.
Requirements
Before getting started with AIDR, ensure you have:
-
A customer account in one of the following CrowdStrike clouds:
- US-1
- US-2
- EU-1
-
At least one of the Falcon AIDR subscriptions:
- AIDR for Workforce - Monitor AI activity in managed browsers with the Browser collector.
- AIDR for Agents - Monitor and control AI activity in AI-powered applications and autonomous agents using Application, Agentic, Gateway, Cloud, and OpenTelemetry collectors.
-
Your Falcon user must be explicitly assigned an AIDR role for the current customer account. The default roles include:
- AIDR Admin
- View AIDR configuration and event logs.
- View usage, errors, and organization-level activity logs.
- Manage AIDR configuration, including custom filters, collectors, policies, and alias mappings.
- AIDR Viewer
- View AIDR configuration and event logs.
- AIDR Admin
Open AIDR console
In the Falcon console, click Open menu (☰) and go to
Visualize sample data
Before you ingest your own data, you can explore a sample dataset on the Visibility page to see how AIDR visualizes relationships between applications, actors, collectors, and other entities found in AI-related events.
AIDR presents event data on the Visibility page through interactive diagrams, charts, and dashboards.
These visualizations help you see how AI is used across your organization, surface risky usage patterns, and monitor the effectiveness of AI policies and controls.
Once you begin ingesting your own data, it will appear on the Visibility page instead of the sample dataset. You can use the Visualize Sample Data option in the filters dropdown to switch back to the sample data view while you build up real-world coverage.
Data flows
The interactive Sankey diagram on the Visibility page helps you visualize event data by connecting different attributes. This view helps you explore relationships and patterns across your AI activity.
This view supports pattern recognition, anomaly detection, and risk exposure mapping. It helps answer questions such as:
- Which providers or models dominate usage patterns?
- Are unapproved providers or models being used, and through which applications?
- Which users are accessing which applications and models, and at what volume?
- How do different collector types contribute to observed traffic?
- Are there unexpected or unusually high-volume flows from unapproved applications or users?
Below are example use cases and corresponding three-node Sankey configurations for common AI activity patterns:
| Use Case | Attributes | Description |
|---|---|---|
| User - Application - Provider | Shows employees' AI provider usage through different applications. Helps uncover unsanctioned tools or traffic observed by browser collectors. |
| Application - Collector Type - Model | Identifies which applications are monitored, by which collector types, and which models they access. |
| Application - Collector Type - Collector | Verifies that collector instances are deployed correctly and cover intended applications. |
- Hover over elements in the diagram to view metrics and see the breakdown by detection type.
- Use the View next 10 + and View previous - buttons to scroll through nodes when more data is available than can fit on the screen.
Dashboards
The dashboards on the Visibility page provide additional insight into AI traffic patterns and potential risk exposure.
Quick filters
You can quickly apply filters by clicking these elements on the Visibility page:
- DETECTIONS (button) - Limit the data to events that triggered a detection defined in your policies. Click ACTIVITY to remove this filter and return to the full event view.
- Date range dropdown - Select a predefined time range from the dropdown next to the search bar. You can also use Set custom range to define and apply your own interval.
- Attribute nodes - Click any node in the Sankey diagram or the Visibility dashboard to filter by that specific attribute value. For example, clicking an user node filters the data to only show events involving that user.
- Policy Detections - Click a detection type in the Policy Detections dashboard to show only events that triggered that detection.
- Active Collectors - Click a collector type in the Active Collectors dashboard to show only events collected by that type.
Choose your path
Select the guide that matches your AIDR subscription and use case:
Monitor Employee AI Usage (AIDR for Workforce)
- Use case - Monitor and control employee use of web-based AI tools like ChatGPT, Claude, Gemini, and others in managed enterprise environments.
- Target audience - Security teams, CISOs, compliance officers managing employee endpoints
- What you'll deploy - Browser collector via managed browser extensions
Build AI Applications (AIDR for Agents)
- Use case - Integrate security controls into AI-powered applications, autonomous agents, and internal AI systems.
- Target audience - AI application developers and architects
- What you'll deploy - Application, Agentic, Gateway, Cloud, or OpenTelemetry collectors.