Admin Audit Log - Who Changed What

4 min read

Burrow records every configuration change made through the dashboard, with timestamps, the analyst who made the change, and a before/after diff. The History page is your audit trail for "who disabled the ransomware rule and when?" or "who added this user to the entity exception list?" — both during an incident and during external compliance reviews.

What gets logged

Every action that changes Burrow's behaviour is recorded:

Disposition changes — when an analyst marks an alert Real / Not real / Maybe.
Posture changes — when an admin switches between Permissive / Relaxed / Balanced / Strict / Paranoid.
Per-rule overrides — when an admin sets a custom threshold for a specific rule.
Rule enable / disable — when an admin adds or removes a rule from the Disabled rules list.
Custom rule additions / edits — when an admin defines or modifies a custom detection rule.
Entity exception additions / removals — when an admin silences or unsilences a user pattern.
Sensitive-site approvals — when an admin approves an auto-suggested sensitive site, or pins a manual one.
Internal-domain pins / excludes — when an admin overrides the auto-learner.
Notification settings — when an admin adds / removes email recipients or changes the minimum severity gate.

Read-only views (opening an alert, running a Forage search, browsing the dashboard) are not logged. Only changes are.

Opening the History page

Open the Burrow dashboard.
Click History in the left navigation.

The page lists actions in reverse-chronological order. Each row shows:

Timestamp — when the change happened.
Analyst — the dashboard account that made the change (their email / UPN).
Action — short label (disposition, rule edit, exception add, posture change, etc.).
Target — what was changed (an alert key, a rule name, an exception ID, etc.).
Diff — click to expand and see the before / after state of the changed field.

Filtering

The filter bar at the top of the page:

Action type — narrow to one kind of change (e.g. just disposition decisions, or just posture changes).
Analyst — narrow to one operator (useful for shift-by-shift review or off-boarding audits).
Time range — last 24 hours, last week, last month, or custom.

Pagination at the bottom of the table for navigating older entries.

Common questions the History page answers

"Who turned off the ransomware rule?"

Filter Action type to "rule disable" and review. Each entry has the analyst's identity and timestamp.

"What did our SOC team triage during last week's incident?"

Filter Action type to "disposition" and time range to the incident window. Each entry shows which alert was triaged, what the analyst decided, and when.

"Who added user X to the exception list?"

Filter Action type to "exception add" and search for the user pattern. The matching entry shows who added the rule, when, and what reason text they provided.

"Has anyone changed the posture in the last quarter?"

Filter Action type to "posture change" and time range to the quarter. Each entry shows the analyst, the old posture, and the new posture.

Read-only — by design

The History page can't be edited or deleted from the dashboard. The log is append-only — every change adds an entry, no entry is ever removed. This is what makes it usable as defensible evidence in HR, legal, or external audit settings.

If you need a CSV of a filtered History view for an audit binder, raise a support ticket.

Pairs well with the suppression journal

The History page tells you what configuration changed and who changed it. The suppression journal tells you what alerts were skipped and why.

Together they answer "is anything happening in our tenant that the SOC team chose to hide from us?" — the answer being "everything they chose not to email, plus every operator action they took, is logged here."