What is Burrow?

4 min read

Burrow is the security and audit layer inside the Squirrel product family from Smikar Software. It watches activity across your Microsoft 365 tenant — specifically SharePoint Online and Entra ID (formerly Azure Active Directory) — and surfaces only what's worth a human looking at.

If Squirrel itself is about storage and archive (file lifecycle), Burrow is about visibility and detection (what people are doing, and whether any of it looks dangerous).

For pricing, a demo, or a sales conversation, see the Burrow product page on smikar.com. This wiki is the technical documentation — start with the Quick tour if you have already deployed.

What Burrow does

Burrow pulls Microsoft 365 audit data on a regular cycle and runs it through three stages:

A deterministic rules engine — checks counts, ratios, geographies, and thresholds against your detection posture. This is the source of truth for every alert. Numbers in an alert are real because they come straight from the audit feed.
A UEBA (user-and-entity behavioural analytics) layer — compares each user's activity today against their own past patterns and against their peer group.
An AI narration step — turns the deterministic facts into readable prose for analysts and executives. A safety check verifies every number the AI writes against the source data, and falls back to a plain template if anything doesn't match.

Every detection lands in the Burrow dashboard with a severity (critical, high, medium, low, info), a MITRE ATT&CK technique ID, the evidence that triggered it, and an AI-written "why this matters" summary.

Where Forage fits

Forage is the cross-entity activity search tool inside the same dashboard. Where Burrow asks "is anything wrong?", Forage answers "what did this person do?". You type a user, a date range, optionally a site or file pattern, and Forage returns the raw event log — every download, share, permission change, and access — drawn from the same audit data that powers Burrow's rules.

Auditors use Forage for HR and legal investigations. SOC analysts use it to flesh out an alert's context. Compliance officers use it to satisfy "did this person ever access X" questions.

Where it sits in Squirrel

Burrow and Forage are sold as part of the Squirrel umbrella. The same Squirrel product also covers file archival to Azure Blob — that's documented separately under the file-archive guides. The two halves run on the same infrastructure but address different problems and have separate dashboards.

What you provide vs what Smikar provides

Burrow is a fully-managed service from Smikar. There is no Burrow infrastructure for you to deploy, maintain, or patch.

You access Burrow through a web browser. There is no software your team needs to install on their devices.
Your audit data lives in your own Azure storage account. You provide the storage account; Burrow writes backups and offloads older audit data there. Your data, your tenant, your control — no lock-in, you can revoke access at any time.
One-time Entra ID consent. Your global admin grants Burrow a read-only security app to pull Microsoft 365 audit data. The app has no write access to your tenant.

Everything else — the detection engine, the AI narration, the dashboard, the email delivery — is run and maintained by Smikar.

Who Burrow is for

Burrow is built for organisations that already run a Microsoft 365 tenant and want to:

Detect malicious or anomalous activity in SharePoint and Entra ID without standing up a full SIEM
Answer auditor and compliance questions about historical user activity quickly
Reduce alert fatigue by letting deterministic rules plus AI triage filter noise before it reaches the SOC

If you have a security operations function (in-house or outsourced) and a SharePoint estate worth protecting, Burrow gives you a focused, evidence-first surface for it.

Next steps

Quick tour of the dashboard — see what each screen does.
Who uses what — match your team's roles to the right workflows.
Glossary — the Burrow vocabulary in one place.
First-week onboarding checklist — recommended reading order for a new Burrow deployment.

Need help? support@smikar.com.

← Nutshell AI: Sample Summaries by Mode and Temperature

Burrow First-Week Onboarding Checklist →

More in Squirrel

See all pages →

Burrow First-Week Onboarding Checklist

Burrow Glossary

Quick Tour of the Burrow Dashboard

Who Uses What — Burrow Personas

Cold Storage Rehydrate

Dispositions - What Your Not Real Click Actually Does