AIDR - Site Access Rules - Control website access in browser collector policies

Site Access Rules

Use site access rules to block, redirect, report, or ignore visits to sites monitored by the browser collector.

Requirements

Site Access management requires the CrowdStrike-hosted browser extension version 1.x.x.

The Chrome Web Store edition version 0.6.x doesn't support Site Access. To migrate to the CrowdStrike-hosted extension, see:

How rules execute

AIDR evaluates rules in the order they appear. Each rule matches the visited site against its site collection and applies the configured action.

Ignore, Block, and Redirect stop execution.
Report and Continue proceed to the next rule.
A site can accumulate multiple report detections before a terminal action.
If no terminal action matches, AIDR implicitly allows the site.
After site access evaluation completes, prompt inspection applies to supported sites.

Actions

Action	Behavior	Execution
`Continue`	Proceed to next rule without logging	Continues
`Ignore`	Allow access without logging or prompt inspection	Stops
`Report`	Log access as a detection, continue to next rule	Continues
`Block`	Block access and display a custom block message	Stops
`Redirect`	Redirect to a specified URL	Stops

Configure site access rules

Go to the policy details page for a browser collector policy.
Open the Site Access tab.
Click + Add Site Access Rule.
Configure the rule:
- If - Select a site collection.
- Then - Select an action. A gear icon indicates that an action requires additional input:
  - Block - Enter a custom block message.
  - Redirect - Enter the destination URL.
- Else - Select a fallback action (Continue or another action).
Reorder rules by dragging them with the six-dot handle on the left.
Click Save Changes.

Site collections

Site collections group sites into reusable sets shared across your AIDR browser collector policies.

Select site collection

In the If dropdown, select a site collection.

Create site collection

In the If dropdown, click + Create New Site Collection.
In the Creating Shared Site Collection dialog, enter a collection name.
Select sites from the catalog. The catalog includes CrowdStrike-provided GenAI sites and custom sites you've added.
Search or filter by category to find sites.
(Optional) Enable auto-sync on a category to include all its sites automatically.
Click Create.

Edit site collection

Click Edit Site Collection in a rule. Changes apply to all policies that reference that collection.

note:

Site collection changes, such as adding or removing sites, may take up to one hour to take effect. The browser extension checks for monitored site updates on an hourly cycle.

Default sites

The Generative AI collection includes CrowdStrike-provided sites by default. You can't delete or modify these sites. To view the site details, hover over a site row and click the eye icon.

Add custom sites

To add a site that isn't in your CID catalog:

In the Creating Shared Site Collection dialog, click + Site.
In the Create Site dialog, enter the site properties:
- Site Name (required)
- Description (optional)
- Category (required)
- Domains (required) - One or more domains. For each domain, select a match type:
  - Domain Is - Match the exact domain only.
  - Domain or Subdomain Is - Match the domain and all its subdomains. AIDR records the domain with a wildcard prefix, like *.example.com.

Edit or delete custom sites

In the Creating Shared Site Collection and Editing Shared Site Collection dialogs, custom sites display a comment icon.

Hover over a custom site row to see available options:

Hover over the comment icon to view the site description.
Click the pencil icon to edit the custom site.
Click the delete icon to delete the custom site.

Prompt Rules

Prompt rules execute only if site access evaluation allows access to the site. If access rules block, redirect, or ignore a site, prompt inspection doesn't run for that site.

Click the Prompt inspection is applied to <n> inspection sites button.

Hover over the button to view the Prompt Inspection Sites popup with inspected sites.
Click the button to open the Prompt Inspection Sites panel.

The panel lists supported sites that receive prompt inspection and sites excluded by access rules. Sites excluded by an access rule display a Blocked by access rule label.

If access rules exclude sites from prompt inspection, a warning appears at the bottom of the panel:

warning:
<n> sites are blocked by access rules and will not have prompt inspection applied. Review your site access rules above if this is unintended.

To configure prompt rules, see Prompt Rules .

Compare to collector site settings

On the collector Config page, in the Sites section, you can configure how policy rules apply to each supported AI provider domain. Select Use Policy, Monitor Only, Discovery, or Disabled for each domain.

With the browser extension version 1.x.x, you can apply site access rules to any domain. You can map collector site settings to site access rules:

Collector site setting	Site access rule equivalent
`Use Policy`	No rule needed. Prompt inspection applies by default.
`Monitor Only`	No rule needed. Enable Report Only Mode on the policy for equivalent behavior. This mode applies to all sites in the policy.
`Discovery`	`Report` followed by `Ignore`. Two rules targeting the same collection are required: `Report` is non-terminal and logs the visit, while `Ignore` stops evaluation and prevents prompt inspection.
`Disabled`	`Ignore`

Site Access Rules​

Requirements​

How rules execute​

Actions​

Configure site access rules​

Site collections​

Select site collection​

Create site collection​

Edit site collection​

Default sites​

Add custom sites​

Edit or delete custom sites​

Prompt Rules​

Compare to collector site settings​