AIDR API Reference

Base URL

https://api.crowdstrike.com/aidr/aiguard

• AIDR Documentation
• OpenAPI Specification

post/v1/guard_chat_completions

cURL

curl -sSLX POST 'https://api.crowdstrike.com/aidr/aiguard/v1/guard_chat_completions' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

This endpoint cannot be called through the documentation site

Guard LLM Chat Completions

POST

https://api.crowdstrike.com/aidr/aiguard/v1/guard_chat_completions

Analyze and redact content to avoid manipulation of the model, addition of malicious content, and other undesirable data transfers.

required parameters

guard_input

object

'messages' contains Prompt content and role array in JSON format. The content is the multimodel text or image input that will be analyzed. Additional properties such as 'tools' may be provided for analysis.

Click 'Save' to use the value

'messages' contains Prompt content and role array in JSON format. The content is the multimodel text or image input that will be analyzed. Additional properties such as 'tools' may be provided for analysis.

optional parameters

app_id

string

Id of source application/agent

app_id

app_id

Id of source application/agent

user_id

string

User/Service account id/service account

user_id

user_id

User/Service account id/service account

llm_provider

string

Underlying LLM. Example: 'OpenAI'.

llm_provider

llm_provider

Underlying LLM. Example: 'OpenAI'.

model

string

Model used to perform the event. Example: 'gpt'.

model

model

Model used to perform the event. Example: 'gpt'.

model_version

string

Model version used to perform the event. Example: '3.5'.

model_version

model_version

Model version used to perform the event. Example: '3.5'.

source_ip

string

IP address of user or app or agent.

source_ip

source_ip

IP address of user or app or agent.

source_location

string

Location of user or app or agent.

source_location

source_location

Location of user or app or agent.

tenant_id

string

For gateway-like integrations with multi-tenant support.

tenant_id

tenant_id

For gateway-like integrations with multi-tenant support.

span_id

string

Unique identifier for the span in distributed tracing, used to track and correlate AI events across the request lifecycle.

span_id

span_id

Unique identifier for the span in distributed tracing, used to track and correlate AI events across the request lifecycle.

event_type

string

(default: "input")

(AIDR) Event Type.

​

(AIDR) Event Type.

collector_instance_id

string

(AIDR) collector instance id.

collector_instance_id

collector_instance_id

(AIDR) collector instance id.

extra_info

object

(AIDR) Logging schema.

(AIDR) Logging schema.

app_name

string

Name of source application/agent.

app_name

app_name

Name of source application/agent.

app_group

string

The group of source application/agent.

app_group

app_group

The group of source application/agent.

app_version

string

Version of the source application/agent.

app_version

app_version

Version of the source application/agent.

user_name

string

Name of subject actor/service account.

user_name

user_name

Name of subject actor/service account.

user_group

string

The group of subject user/actor.

user_group

user_group

The group of subject user/actor.

source_region

string

Geographic region or data center.

source_region

source_region

Geographic region or data center.

sub_tenant

string

Sub tenant of the user or organization

sub_tenant

sub_tenant

Sub tenant of the user or organization

mcp_tools

array<object>

Each item groups tools for a given MCP server.

Click 'Save' to use the value

Each item groups tools for a given MCP server.

server_name

string

MCP server name

• minLength: 1

server_name

server_name

MCP server name

• minLength: 1

tools

array<string>

• minItems: 1

Click 'Save' to use the value

• minItems: 1

input_fpe_context

string (base64)

FPE (Format Preserving Encryption) context from a previous guard request. When provided, the encrypted input will be unredacted before processing.

input_fpe_context

input_fpe_context

FPE (Format Preserving Encryption) context from a previous guard request. When provided, the encrypted input will be unredacted before processing.

Response Fields

Response Schema

object

Pangea standard response schema

Pangea standard response schema

result

object

guard_output

object

Updated structured prompt.

Updated structured prompt.

blocked

boolean

Whether or not the prompt triggered a block detection.

Whether or not the prompt triggered a block detection.

transformed

boolean

Whether or not the original input was transformed.

Whether or not the original input was transformed.

policy

string

The Policy that was used.

The Policy that was used.

detectors

object

Result of the policy analyzing and input prompt.

Result of the policy analyzing and input prompt.

malicious_prompt

object

detected

boolean

Whether or not the Malicious Prompt was detected.

Whether or not the Malicious Prompt was detected.

data

object

Details about the analyzers.

Details about the analyzers.

action

string

The action taken by this Detector

The action taken by this Detector

analyzer_responses

array<object>

Triggered prompt injection analyzers.

Triggered prompt injection analyzers.

analyzer

string

confidence

number

confidential_and_pii_entity

object

detected

boolean

Whether or not the PII Entities were detected.

Whether or not the PII Entities were detected.

data

object

Details about the detected entities.

Details about the detected entities.

entities

array<object>

Detected redaction rules.

Detected redaction rules.

action

string

The action taken on this Entity

The action taken on this Entity

type

string

value

string

start_pos

integer

• minimum: 0

• minimum: 0

malicious_entity

object

detected

boolean

Whether or not the Malicious Entities were detected.

Whether or not the Malicious Entities were detected.

data

object

Details about the detected entities.

Details about the detected entities.

entities

array<object>

Detected harmful items.

Detected harmful items.

type

string

value

string

start_pos

integer

• minimum: 0

• minimum: 0

raw

object

custom_entity

object

detected

boolean

Whether or not the Custom Entities were detected.

Whether or not the Custom Entities were detected.

data

object

Details about the detected entities.

Details about the detected entities.

entities

array<object>

Detected redaction rules.

Detected redaction rules.

action

string

The action taken on this Entity

The action taken on this Entity

type

string

value

string

start_pos

integer

• minimum: 0

• minimum: 0

secret_and_key_entity

object

detected

boolean

Whether or not the Secret Entities were detected.

Whether or not the Secret Entities were detected.

data

object

Details about the detected entities.

Details about the detected entities.

entities

array<object>

Detected redaction rules.

Detected redaction rules.

action

string

The action taken on this Entity

The action taken on this Entity

type

string

value

string

start_pos

integer

• minimum: 0

• minimum: 0

competitors

object

detected

boolean

Whether or not the Competitors were detected.

Whether or not the Competitors were detected.

data

object

Details about the detected entities.

Details about the detected entities.

action

string

The action taken by this Detector

The action taken by this Detector

entities

array<string>

Detected entities.

Detected entities.

language

object

detected

boolean

Whether or not the Languages were detected.

Whether or not the Languages were detected.

data

object

Details about the detected languages.

Details about the detected languages.

action

string

The action taken by this Detector

The action taken by this Detector

languages

array<object>

language

string

confidence

number (float)

• minimum: 0

• maximum: 1

• minimum: 0

• maximum: 1

topic

object

detected

boolean

Whether or not the Topics were detected.

Whether or not the Topics were detected.

data

object

Details about the detected topics.

Details about the detected topics.

action

string

The action taken by this Detector

The action taken by this Detector

topics

array<object>

List of topics detected

List of topics detected

topic

string

confidence

number

emoji

object

detected

boolean

Whether or not any emojis were detected.

Whether or not any emojis were detected.

data

object

Details about the detected emojis.

Details about the detected emojis.

action

string

The action taken by this Detector

The action taken by this Detector

emojis

array<object>

slug

string

char

string

code

object

detected

boolean

Whether or not the Code was detected.

Whether or not the Code was detected.

data

object

Details about the detected code.

Details about the detected code.

action

string

The action taken by this Detector

The action taken by this Detector

language

string

mcp_validation

object

detected

boolean

Whether or not MCP validation issues were detected

Whether or not MCP validation issues were detected

data

object

Details about the detected MCP validation issues

Details about the detected MCP validation issues

action

string

The action taken by this Detector

The action taken by this Detector

entities

array<object>

Detected MCP validation issues

Detected MCP validation issues

type

string

The type of MCP validation issue detected

The type of MCP validation issue detected

analyzer

string

The analyzer that detected the issue

The analyzer that detected the issue

confidence

number

Confidence score of the detection

Confidence score of the detection

value

string

The value that triggered the detection

The value that triggered the detection

similarity

number (float)

Similarity score between tool descriptions

Similarity score between tool descriptions

access_rules

object

Result of the recipe evaluating configured rules

Result of the recipe evaluating configured rules

Pattern Property: ^.*$

object

Details about the evaluation of a single rule, including whether it matched, the action to take, the rule name, and optional debugging information.

Details about the evaluation of a single rule, including whether it matched, the action to take, the rule name, and optional debugging information.

detected

boolean

Whether this rule detected.

Whether this rule detected.

matched

boolean

Whether this rule's logic evaluated to true for the input.

Whether this rule's logic evaluated to true for the input.

exclude_prompt_content

boolean

Whether this rule resulted in prompt content being excluded from the logged event.

Whether this rule resulted in prompt content being excluded from the logged event.

action

string

The action resulting from the rule evaluation. One of 'allowed', 'blocked', or 'reported'.

The action resulting from the rule evaluation. One of 'allowed', 'blocked', or 'reported'.

name

string

A human-readable name for the rule.

A human-readable name for the rule.

logic

object

The JSON logic expression evaluated for this rule.

The JSON logic expression evaluated for this rule.

attributes

object

The input attribute values that were available during rule evaluation.

The input attribute values that were available during rule evaluation.

fpe_context

string (base64)

If an FPE redaction method returned results, this will be the context passed to unredact.

If an FPE redaction method returned results, this will be the context passed to unredact.

request_id

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"

request_time

string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"

response_time

string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"

status

string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"

summary

string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

post/v1/unredact

cURL

curl -sSLX POST 'https://api.crowdstrike.com/aidr/aiguard/v1/unredact' \
-H 'Authorization: Bearer <your_token>' \
-H 'Content-Type: application/json' \
-d '{}'

This endpoint cannot be called through the documentation site

Unredact text or structured JSON

POST

https://api.crowdstrike.com/aidr/aiguard/v1/unredact

Decrypt or unredact fpe redactions

required parameters

redacted_data

Data to unredact

Click 'Save' to use the value

Data to unredact

fpe_context

string (base64)

FPE context used to decrypt and unredact data

fpe_context

fpe_context

FPE context used to decrypt and unredact data

Response Fields

Response Schema

object

Pangea standard response schema

Pangea standard response schema

result

object

data

The unredacted data

The unredacted data

request_id

string

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"

A unique identifier assigned to each request made to the API. It is used to track and identify a specific request and its associated data. The request_id can be helpful for troubleshooting, auditing, and tracing the flow of requests within the system. It allows users to reference and retrieve information related to a particular request, such as the response, parameters, and raw data associated with that specific request.

"request_id":"prq_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd"

request_time

string

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"

The timestamp indicates the exact moment when a request is made to the API. It represents the date and time at which the request was initiated by the client. The request_time is useful for tracking and analyzing the timing of requests, measuring response times, and monitoring performance metrics. It allows users to determine the duration between the request initiation and the corresponding response, aiding in the assessment of API performance and latency.

"request_time":"2022-09-21T17:24:33.105Z"

response_time

string

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"

Duration it takes for the API to process a request and generate a response. It represents the elapsed time from when the request is received by the API to when the corresponding response is returned to the client.

"response_time":"2022-09-21T17:24:34.007Z"

status

string

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"

It represents the status or outcome of the API request made for IP information. It indicates the current state or condition of the request and provides information on the success or failure of the request.

"status":"success"

summary

string

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

Provides a concise and brief overview of the purpose or primary objective of the API endpoint. It serves as a high-level summary or description of the functionality or feature offered by the endpoint.

Status Codes

Status	Status Code	Description
InactiveDevice	200	Device is not active.
TokenDeletionFailed	200	Failed to delete device attached token.
AIDRDisputeExists	400	Disputed issue already exists.
AIDRFieldAliasExists	400	Field alias already exists.
AIDRListExists	400	List already exists.
AIDRPolicyExists	400	Policy already exists.
BadLSSearch	400	The search query is invalid.
CSPLogTooLarge	400	CSP log is too large.
ConfigurationSettingsExists	400	Configuration settings already exists.
DeviceExists	400	Device already exists.
InvalidAIDRDisputeState	400	Invalid disputed issue state transition.
InvalidAIDRFieldAlias	400	Field alias does not exist.
InvalidAIDRListContent	400	Unsupported List content.
InvalidAIDRListType	400	Unsupported List type.
InvalidAIDRPolicy	400	Unsupported Policy content.
InvalidCollectorType	400	The operation is not available for this collector type
InvalidConfigurationSettings	400	Invalid configuration settings.
InvalidDevice	400	Device does not exist.
InvalidDeviceId	400	The operation is made with invalid device id
InvalidSavedFilter	400	Saved filter does not exist.
InvalidSearchId	400	The search id is invalid because it has either already been completed and the results have been retrieved, or the search request does not exist.
MissingAIDRDispute	400	Disputed issue does not exist.
MissingAIDRList	400	List does not exist.
MissingAIDRPolicy	400	Policy does not exist.
MissingConfigurationSettings	400	Configuration settings does not exist.
SavedFilterExists	400	Saved filter already exists.
UnsupportedAIDRPolicyVersion	400	Unsupported Policy version.
InvalidCID	403	CID is either invalid or missing.
UnAuthorizedLSSearch	403	User or Service Account are not authorized.
InvalidLSServiceAccount	500	Invalid service account user.