Get Started with AIDR for Workforce

Overview

The AIDR browser collector is a lightweight browser extension that you can install on enterprise-managed endpoints to capture AI interactions in supported browsers and send data to AIDR for visibility and policy enforcement.

You can use the AIDR browser collector to monitor and analyze employee use of web-based AI tools like ChatGPT, Claude, Gemini, and other supported providers in managed enterprise environments. Based on the analysis, you can apply policies to protect your organization from risks identified in user inputs.

This guide covers installing a browser collector by adding the AIDR Chrome browser extension to Google Chrome or Microsoft Edge on your machine. You will:

• Verify the browser collector reaches a successful deployment state.
• View AI activity captured by the collector in the AIDR console event logs.

You can apply this experience when deploying browser collectors at scale using enterprise endpoint management tools.

Requirements

• A customer account in one of the supported CrowdStrike clouds:
  • US-1
  • US-2
  • EU-1
• AIDR for Workforce subscription
• AIDR Admin role explicitly assigned to your Falcon user account for the current customer
• Supported operating system:
  • Windows
  • macOS
• Admin privileges on user machines to update system-level configuration:
  • Registry on Windows
  • Configuration profile on macOS

• The browser collector is intended to be used and supported in enterprise-managed environments. The CrowdStrike-hosted browser extension version 1.x.x requires an enterprise-managed machine:
  • Enrolled in MDM, such as Intune or Jamf
  • Joined to an Active Directory domain
  • Registered with Microsoft Entra ID

• Supported browsers:
  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox

note:

For quick evaluation and testing, this guide covers deployment of the AIDR Chrome extension on your machine.

You can deploy AIDR browser collectors in organizations with managed endpoints. For production deployment in enterprise environments, use supported device management tools:

• Microsoft Intune (cross-platform)
• Jamf (macOS)
• Chrome Enterprise (browser-specific)
• Group Policy (Windows)

These options are outlined on the collector Install tab in the AIDR console.

note:

The AIDR browser extension must be installed and used independently from the Falcon Sensor.

Register browser collector

In the Falcon console, click the menu icon and go to

AI detection and response > Collectors .

1. On the Collectors page, click + Collector.

2. Choose Browser as the collector type, then select the browser you want to support (Chrome, Edge) and click Next.

3. On the Add a Collector screen:

   • Collector Name - Enter a descriptive name for the collector to appear in dashboards and reports.
   • Logging - Select Log with prompt data, which will enable full analysis by logging:
   • User prompts and AI service responses
   • Request metadata, including available user and AI service information
   • Policy - Select Browser Monitor, which will:
   • Record user activity.
   • Detect risks in AI interactions using pre-configured detectors and save the results in event logs. You can view the configured detectors by following the policy link on the collector details page.

   Use the assigned policy to determine which detections run on data sent to AIDR. Policies define rules for detecting malicious activity, sensitive data exposure, topic violations, and other risks in AI interactions.

   • You can select an existing policy available for this collector type or create policies on the Policies page.

     The selected policy name appears under the dropdown. After you save the collector registration, this label becomes a link to the corresponding policy page.

   • You can also select No Policy, Log Only. Without a policy, AIDR records activity for visibility and analysis without applying detection rules.

4. In the Sites section, leave all AI provider sites set to Use Policy.

   note:

   note:

   You can also use Site Access rules in your browser collector policy to block, redirect, report, or ignore site visits for any domain.

   Site Access policy rules require CrowdStrike-hosted AIDR browser extension version 1.x.x.

   The Sites section lists supported AI provider websites that the extension monitors. You can set each site to one of these modes to apply or override the collector-level policy rules:

   • Use Policy (default) - Apply the collector's policy rules to this site. AIDR analyzes and logs user prompts and AI system responses. AIDR blocks or transforms user prompts according to the policy rules. To review your collector policy rules, find the assigned policy on the Policies page in the AIDR console.
   • Monitor Only - Apply the collector's policy rules to this site in report-only mode. AIDR analyzes and logs user prompts and AI system responses. The user experience isn't affected.
   • Discovery - Skip sending AI traffic to AIDR. Only record that users visited the site.
   • Disabled - Ignore this site entirely. The extension doesn't monitor or log activity on this site.

5. Click Save to complete collector registration.

This opens the collector details page, where you can:

• View installation instructions for the collector type on the Install tab.
• Update the collector name, logging preference, and policy assignment.
• Click the policy link to view the policy details.
• View the collector configuration activity logs.

To return to the collector details page later, select your collector from the list on the Collectors page.

Deploy collector

Deploying a browser collector requires two steps:

• Install the browser extension.
• Save AIDR collector configuration in the extension's Managed storage.

Select Install option

On the collector details page in the AIDR console, switch to the Install tab. This tab provides instructions, links, and templates for common deployment methods. The following sections include step-by-step guides for specific methods.

Enterprise management required:

The Self-Service option requires an enterprise-managed machine enrolled in MDM, such as Intune or Jamf, joined to an Active Directory domain, or registered with Azure AD / Entra ID.

Unmanaged machines cannot use this deployment method in Google Chrome.

The Self-Service option lets you quickly evaluate the collector on your own machine before deploying it at scale:

• Introduces the key browser collector deployment steps.
• Requires no additional management tool configuration. Lets you perform installation and configuration steps on your machine using downloadable profiles and scripts.
• Describes extension deployment parameters that also apply to production deployments.

Self-service limitations:

Self-service deployment is intended for testing and evaluation purposes. It isn't a supported option for production deployments.

The first time you select this option, you must acknowledge these limitations in a confirmation dialog before proceeding.

tip:

For enterprise environments with device management, follow the instructions for a supported management tool on the Install tab.

Install browser extension

1. Install the extension from the Chrome Web Store .

2. Download and apply the configuration.

   • macOS

     Download the configuration profile from the collector's Install tab in the AIDR console.

     Example configuration profile (User scope)

     This profile populates the extension's managed storage with AIDR credentials. Apply at the User level (User Channel).

     <?xml version="1.0" encoding="UTF-8"?>
     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
     <plist version="1.0">
     <dict>
       <key>PayloadContent</key>
       <array>
           <dict>
               <key>PayloadType</key>
               <string>com.google.Chrome.extensions.folndgmoekgkipoolphnkclopeopkecc</string>
               <key>PayloadIdentifier</key>
               <string>com.crowdstrike.aidr.chrome.config</string>
               <key>PayloadUUID</key>
               <string>9dd7538f-f46c-482a-91d6-11f87b8f9e6d</string>
               <key>PayloadVersion</key>
               <integer>1</integer>
               <key>PayloadEnabled</key>
               <true/>
               <key>PayloadDisplayName</key>
               <string>AIDR Chrome Extension Configuration</string>
               <key>urlTemplate</key>
               <string>https://api.crowdstrike.com/aidr/aiguard</string>
               <key>registrationIdentity</key>
               <string>eyJzIj...YiOjF9</string>
               <key>userId</key>
               <string>{{user-id}}</string>
               <key>userFullName</key>
               <string>{{user-full-name}}</string>
               <key>hostname</key>
               <string>replace-with-hostname</string>
           </dict>
       </array>
       <key>PayloadType</key>
       <string>Configuration</string>
       <key>PayloadIdentifier</key>
       <string>com.crowdstrike.aidr.chrome.config.profile</string>
       <key>PayloadUUID</key>
       <string>c4d2e6f8-1a3b-5c7d-9e0f-4b6a8c2d0e1f</string>
       <key>PayloadVersion</key>
       <integer>1</integer>
       <key>PayloadScope</key>
       <string>User</string>
       <key>PayloadDisplayName</key>
       <string>AIDR Chrome Extension Configuration Profile</string>
     </dict>
     </plist>

     Install the profile:

     1. Double-click the .mobileconfig file.
     2. Install in System Settings > General > Device Management.
     note:

     • The exact path may vary depending on your macOS version.
     • If a previous profile for this extension exists, remove it first.

   • Windows

     Download the PowerShell script from the collector's Install tab in the AIDR console.

     Example PowerShell script

     This script creates the managed storage configuration in the Windows Registry. Run as Administrator.

     # Chrome AIDR Extension - Configuration
     $ErrorActionPreference = "Stop"
     
     $extensionId = "folndgmoekgkipoolphnkclopeopkecc"
     
     try {
         # --- Managed storage configuration ---
         $policyPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$extensionId\policy"
         if (-not (Test-Path $policyPath)) {
             New-Item -Path $policyPath -Force | Out-Null
         }
     
         Set-ItemProperty -Path $policyPath -Name "registrationIdentity" `
             -Value "eyJzIj...YiOjF9" `
             -Type String -Force
     
         Set-ItemProperty -Path $policyPath -Name "urlTemplate" `
             -Value "https://api.crowdstrike.com/aidr/aiguard" `
             -Type String -Force
     
         # Use REG_EXPAND_SZ to expand %...% variables at read time
         # In multidomain environments, you can use %USERDOMAIN%\%USERNAME%
         New-ItemProperty -Path $policyPath -Name "userId" `
             -Value "%USERNAME%" -PropertyType ExpandString -Force | Out-Null
     
         New-ItemProperty -Path $policyPath -Name "userFullName" `
             -Value "%USERNAME%" -PropertyType ExpandString -Force | Out-Null
     
         New-ItemProperty -Path $policyPath -Name "hostname" `
             -Value "%COMPUTERNAME%" -PropertyType ExpandString -Force | Out-Null
     
         # Verify
         $config = Get-ItemProperty -Path $policyPath
         Write-Output "`nConfiguration applied successfully:"
         Write-Output "  - registrationIdentity: Set"
         Write-Output "  - urlTemplate: $($config.urlTemplate)"
         Write-Output "  - userId: $($config.userId)"
         Write-Output "  - userFullName: $($config.userFullName)"
         Write-Output "  - hostname: $($config.hostname)"
     
         Exit 0
     
     } catch {
         Write-Error "Failed: $($_.Exception.Message)"
         Exit 1
     }

     Run the script as Administrator to add the configuration to the Registry.

     warning:

     The script modifies only extension-specific key paths in the Windows Registry. As a precaution, back up the registry before running the script.

3. Restart the browser.

   Fully close and restart your browser. The extension connects to AIDR after the restart.

You can manage the extension on the chrome://extensions page.

note:

The AIDR console pre-populates downloaded configuration files with values from the current session:

• urlTemplate - The AIDR API URL for your CrowdStrike cloud.

• registrationIdentity - Collector-specific credentials.

• userId and userFullName - For macOS, the current AIDR console user's information.

  If you distribute the configuration file to other users, update the userId and userFullName fields to match the target user's identity.

  For Windows, the script uses environment variable expansion (%USERNAME%) to populate these fields automatically with the logged-in user's identity.

• hostname - For macOS, populated with a placeholder value. Replace it with the target machine's hostname.

  For Windows, the script uses environment variable expansion (%COMPUTERNAME%) to populate this field automatically.

In production deployments, set these values dynamically per user with variables in your endpoint management tool or script.

Verify deployment status

Extension status popup

To open the extension status popup:

• If you have pinned the extension to the browser toolbar, click its icon (CrowdStrike AIDR).
• If you haven't pinned the extension, click the puzzle piece icon (Extensions) in the toolbar and select it from the list.

The extension status popup shows:

• CrowdStrike AIDR - Extension vendor and name.
• Version - Semantic version number (for example, 0.6.10). The first two digits indicate major and minor feature releases. The last digit indicates a patch with improvements or bug fixes.
• Device - Unique identifier for this extension instance. This identifier appears in AIDR logs and findings. Reinstalling the extension generates a new device ID. You can find collector instances on the collector details page under the Devices tab.
• UserId - Value from the userId field in the extension's managed storage. If no userId is configured, this field doesn't appear.
• Hostname - Device hostname from the hostname field in the extension's managed storage. If no hostname is configured, this field doesn't appear.
• Current state of the extension, displayed in the top right.

Status progression flow

1. Deployment
   • Not configured (error)
2. Configuration check
   • Configured
   • Invalid configuration (error)
3. Registration
   • Error - registration (error)
   • Pending approval (action required)
4. Site monitoring
   • Error - logging (error)
   • Ready
   • Active

Unsuccessful deployment

Not configured

The extension has no configuration in its managed storage.

1. Verify that the configuration profile or registry changes were properly applied to the system.

   Check the following OS and browser-specific locations:

   • Chrome

     • macOS - Managed preference plist files

       Configuration profile

       plutil -p /Library/Managed\ Preferences/<user>/com.google.Chrome.extensions.gppamppofhecmnlhmhdobepbifmpafmp.plist
       Example configuration

       {
         ...
         "registrationIdentity" => "eyJzIj...YiOjF9"
         "urlTemplate" => "https://api.crowdstrike.com/aidr/aiguard"
         "userFullName" => "<user-full-name>"
         "userId" => "<user-id>"
         "hostname" => "<hostname>"
       }

     • Windows - Registry keys

       Registry keys (machine level)

       Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\gppamppofhecmnlhmhdobepbifmpafmp\policy"
       Registry keys (user-specific)

       Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\gppamppofhecmnlhmhdobepbifmpafmp\policy"
       Example configuration

       urlTemplate          : https://api.crowdstrike.com/aidr/aiguard
       registrationIdentity : eyJzIj...I6MX0=
       userId               : <user-id>
       userFullName         : <user-full-name>
       hostname             : <hostname>
       ...

   • Edge

     • • macOS - Managed preference plist files

         Configuration profile

         plutil -p /Library/Managed\ Preferences/<user>/com.microsoft.Edge.extensions.gppamppofhecmnlhmhdobepbifmpafmp.plist
         Example configuration

         {
           ...
           "registrationIdentity" => "eyJzIj...YiOjF9"
           "urlTemplate" => "https://api.crowdstrike.com/aidr/aiguard"
           "userFullName" => "<user-full-name>"
           "userId" => "<user-id>"
           "hostname" => "<hostname>"
         }

       • Windows - Registry keys

         Registry keys (machine level)

         Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\gppamppofhecmnlhmhdobepbifmpafmp\policy"
         Registry keys (user-specific)

         Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\gppamppofhecmnlhmhdobepbifmpafmp\policy"
         Example configuration

         urlTemplate          : https://api.crowdstrike.com/aidr/aiguard
         registrationIdentity : eyJzIj...I6MX0=
         userId               : <user-id>
         userFullName         : <user-full-name>
         hostname             : <hostname>
         ...

   Next steps:

   • If you don't see the expected values provided on the collector details page in the AIDR console, Download and apply the collector configuration.
   • If the issue persists, contact your IT or system administrator.

2. Verify the extension managed storage has been updated.

   1. In your browser address bar, go to chrome://extensions (or edge://extensions).
   2. Enable Developer mode.
   3. In the AIDR extension card, click service_worker.
   4. In the DevTools console for the background service worker, switch to the Application tab.
   5. Expand Extension storage and click Managed.
   6. Verify the storage keys are populated.

   • Required fields:

     • registrationIdentity - Encoded credentials the extension uses to authenticate with the AIDR service and obtain an authorization token
     • urlTemplate - AIDR API base URL

     You can find collector-specific values for registrationIdentity and urlTemplate on the Install tab in the AIDR console. Configuration files and templates on the Install tab include these values.

   • Optional user identity fields that appear in AIDR event logs:

     • userId - User identifier, such as an email address. Appears in AIDR logs and findings as a top-level field. If not provided, defaults to user_<device-id>.
     • userFullName - User's display name. Appears in AIDR logs and findings under Extra Info. If not provided, defaults to name_<device-id>.
     • hostname - Device hostname. Appears in AIDR logs and findings under Extra Info. If not configured, the value is empty.

   Next steps:

   • If the extension managed storage isn't populated, fully close and restart your browser.
   • If the issue persists, contact your IT or system administrator.

Invalid configuration

The configuration exists but is malformed due to invalid format or missing value for registrationIdentity or urlTemplate.

Next steps:

• Download and apply the collector configuration.

Error - registration

Device registration failed due to network issues or invalid credentials provided in:

• registrationIdentity
• urlTemplate

Next steps:

• Check network connectivity to the AIDR service.
• Ensure you configured your extension with the correct values from the Install tab on the collector details page. You can check your extension configuration as described for Not configured status. Try to Download and apply the collector configuration again.

Successful registration

Pending approval

The extension instance is registered but awaiting admin activation in the AIDR console.

By default, devices are auto-approved and activated. If auto-approval isn't enabled or this extension instance has been disabled, it remains in this state until activated.

Next steps:

• On the collector details page in the AIDR console, under Devices, find the extension instance by its ID in the list of devices. Click the menu icon in the device row and select Activate.

  tip:

  When activating a collector instance, ensure the device ID shown in the AIDR console matches the one in the extension status popup.

Error - logging

The extension is registered but can't send monitoring data from a provider site to the AIDR service. Connectivity issues are the most common cause.

Next steps:

• Check network connectivity to the AIDR service.

Successful deployment

After successful installation and configuration, the status progresses to:

Configured

The extension loaded a valid configuration but hasn't obtained an access token yet. This normal transitional state occurs during extension startup. It progresses to Ready automatically within minutes if the configuration values are valid.

note:

Invalid configuration values result in Unsuccessful deployment.

Ready

The extension is configured, authenticated, and ready to monitor supported AI sites. No activity has been detected yet.

Active

The extension is operational and monitors AI interactions when the user interacts with a supported provider site.

Verify data flow

A deployed collector captures user input and AI service responses on supported provider sites. The collector sends this data to AIDR. AIDR evaluates the data against your collector policy rules and logs the results. If the collector's Logging is set to Log with prompt data, the logs include the user input and AI response.

Provider website

Visit a supported provider site (for example, ChatGPT or Claude ) and start interacting with the chat application.

Browser UI

Depending on the collector policy, the AIDR collector visibly alters the user experience in the browser:

• If No Policy, Log Only is assigned, or all policy rule actions are set to Alert and Report, the AIDR collector produces no visible effects.
• If your policy rules include blocking or data-transforming actions, you may see blocked or redacted prompts when a rule matches. Responses may also look unexpected when sensitive values were redacted before reaching the AI system.

Next steps:

If you don't see AIDR policies applied to the user input:

• Check Input Rules for the policy assigned to your collector.

  tip:

  To identify your extension instance:

  1. Match the extension urlTemplate value and the AIDR cloud domain.
  2. Switch to the correct customer account in the Falcon console (CID).
  3. Select the correct collector on the Collectors page in the AIDR console.
  4. Match the device ID in the extension status popup with the registered device listed on the collector details page under Devices.

Extension DevTools

In the extension DevTools, confirm that the extension is active and sending data to AIDR:

1. In your browser address bar, go to chrome://extensions (or edge://extensions).
2. Enable Developer mode.
3. In the AIDR extension card, click service_worker to open its developer tools.
4. In DevTools, switch to the Network tab.
5. Check for outbound requests to and responses from the AIDR APIs while you interact with a supported AI provider. You may see the following request names:

   • check - Authenticating with the AIDR service and obtaining an authorization token

   • guard_chat_completions - Sending user input or AI system response to AIDR for analysis

     Click a request row to inspect the collector payload under the Payload tab and AIDR API responses under the Preview and Response tabs.

     tip:

     For details about payloads and responses, see the AIDR APIs documentation .

Next steps:

If you don't observe network traffic to AIDR APIs from the correctly configured extension, possible causes include:

• Changes on the provider site - Contact AIDR support .
• Your machine policies blocking extension functionality - Contact your IT or system administrator.

AIDR console

In the AIDR console, review detailed event logs, visualize them in a Sankey dashboard, and view associated metrics.

Data flow timing:

Data appears in AIDR only when users visit and interact with AI provider sites. Installing the extension alone doesn't create data flow.

View detailed logs

Click Findings in the top menu to review events processed by AIDR. Identify your collector logs by attributes associated with the collector and provider, for example:

• COLLECTOR TYPE - (for example, Chrome)
• APPLICATION NAME - Provider service name (for example, ChatGPT)
• COLLECTOR NAME - Name you gave to your collector
• TIME - Time of the request

These columns show AIDR processing results:

• STATUS - Policy decision:
  • Allowed - No risks were detected, and the user prompt or AI system response is allowed by AIDR.
  • Reported - Risks were detected and logged, but the user prompt or AI system response is allowed by AIDR.
  • Blocked - Risks were detected, and AIDR responded with a blocked result. Blocking actions set in policy rules are automatically enforced in Browser, MCP, and (depending on configuration) Gateway collectors.
  • Alerted - A blocked result was logged but not enforced in Report Only mode .
  • Transformed - Sensitive data or malicious references were detected and redacted or defanged. The user prompt or AI system response was allowed with the transformed data.
• FINDINGS - Detector(s) that identified risks. If AIDR detected no risks and allowed the request, No detections is displayed.

Expand each event log to see additional details, including:

• User prompt or AI response data - If the collector's Logging is set to Log with prompt data, the event logs contain:

  • Guard Input - Original prompt or response submitted to AIDR
  • Guard Output - Processed response, present only if the data was transformed; otherwise, null

• Metadata associated with the request, including:

  • User - Username saved in the extension managed storage
  • AIGuard Config
    • policy - Policy assigned to the collector
  • Findings - Detailed detections report
  • Extra Info
    • app_name - Provider website application name
    • user_name - User's full name saved in the extension managed storage
    • site_url - Provider website location

To refresh the event log table, click the reload icon.

Learn more about the Findings page in the Logs & Findings documentation .

Visualize your data

Click Visibility in the top menu to explore patterns in AIDR-processed AI data flows and associated metrics.

In the interactive Sankey diagram, you can visualize relationships between entities captured in event logs. Select up to three attributes from the event metadata. For example, connect User Name - Application Name - Status to see which users visited which AI providers and the AIDR outcomes.

Learn more about visualizing AI flows, supported metadata attributes, and metrics dashboards in the Data Flows & Dashboards documentation .

Uninstall collector

When you're done testing, remove the browser extension and its configuration.

1. Remove the browser extension in your browser's extension manager.

2. Remove the system configuration:

   • macOS - Remove the configuration profile in System Settings > General > Device Management > Profiles.

     The exact path may vary depending on your macOS version.

   • Windows - Remove the managed storage registry keys.

     warning:

     This modifies the Windows Registry. You can make a registry backup before proceeding. If you're unsure how to back up the Registry, contact your IT or system administrator.

     Run this command in a PowerShell session as Administrator:

     Remove extension configuration

     Remove-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc" -Recurse -ErrorAction SilentlyContinue

     Verify that no references to the extension remain:

     Verify extension removal

     reg query "HKLM\SOFTWARE\Policies\Google\Chrome" /s /f "folndgmoekgkipoolphnkclopeopkecc"

     Expected output: End of search: 0 match(es) found.

Next steps

• View collected data on Visibility and Findings pages. Analyze it in Next-Gen SIEM to decide on further implementation steps.

• Determine which policy to apply:

  • Start with monitoring policies and report actions.
  • Apply protection to identified risks by enforcing blocking and data transformation actions based on your organization’s AI usage guidelines.

• Learn more about collector types and deployment options in the Collectors documentation.