Skip to content
SmiKar Software

Configuring Alert Email Recipients

4 min read

Burrow sends email when an alert fires, when an Investigation is opened, when a daily pattern escalation triggers, or when the weekly executive briefing is generated. The Settings page → Notifications tab is where you configure who gets which emails, with three gates that control volume.

Opening the Notifications tab

  1. Open the Burrow dashboard → Settings in the left navigation.
  2. Click the Notifications tab.

The three gates

Together these control how much email each recipient gets. Set them deliberately on day 1, then revisit after a week.

Minimum severity

The severity floor below which alerts do not email. Options: Low, Medium, High, Critical.

  • Low — every alert emails. Useful only in a war-room or pen-test scenario where you want to see everything.
  • Medium (recommended day-1 starting point) — Medium, High, and Critical email. Low and Info are dashboard-only.
  • High — only High and Critical email. Use after a week of tuning if Medium volume is too much for your team to triage.
  • Critical — only Critical emails. Reserved for "page someone immediately" scenarios.

Rules mode

Controls whether all rule categories email, or only a chosen subset.

  • All (recommended day-1) — every rule category at or above the minimum severity emails.
  • Selected — only rule categories on a per-recipient include list email. Use this once you know which categories matter most to which team members (e.g. the compliance lead only wants exfil + tampering categories).

Weekly briefing toggle

When on, recipients get the auto-generated weekly executive briefing every Monday morning. Independent of the per-alert gate above — a recipient with Min severity = Critical and Weekly briefing = on still gets the Monday briefing.

Adding recipients

In the Recipients list:

  1. Click Add recipient.
  2. Enter the email address.
  3. Set the three gates per the above guidance.
  4. Save.

Burrow's email step picks up the new recipient on the next cycle (within a minute).

Removing or editing recipients

Each row in the recipients list has Edit and Delete buttons. Edits take effect on the next email cycle; deletes stop the recipient from getting any further emails.

Both actions are logged on the History page.

Other fields on the Notifications tab

  • From address localpart — the part before the @. The domain is fixed at @smikar.com. Example: burrow-alerts makes emails arrive from burrow-alerts@smikar.com. Pick something your team will recognise.
  • Dashboard URL — the URL that "Open in dashboard" links in emails should point to. Pre-filled with your tenant's Burrow URL; only change if it is wrong.
  • Tenant display name — used in email subject lines (e.g. [HIGH] data_exfiltration_high - tenant: Cloudweir).
  • Test send — sends a one-line test email to all recipients using the current From / Dashboard / Display name configuration. Use it to confirm everything is wired correctly before relying on it for real alerts.

A typical day-1 setup

For most tenants:

  1. Add 2 to 4 SOC operators as recipients. Min severity = Medium, Rules mode = All, Weekly briefing = on.
  2. Add 1 management / compliance lead as recipient. Min severity = High or Critical (whatever they will actually read), Rules mode = All, Weekly briefing = on.
  3. Run Test send once. Confirm everyone received the test.

After a week of live alerts:

  • If SOC operators are overwhelmed, tighten Min severity to High.
  • If management lead never gets emails, they are at the right gate.
  • Consider switching Rules mode to Selected per recipient if specific categories are noisy.

How the gates interact with the rest of Burrow's pipeline

Even with permissive gates here, alerts are still subject to the broader email pipeline before being sent: an entity exception can suppress them, the AI triage step can mark them not-real (which suppresses by default), cooldown prevents the same user-and-category emailing twice within an hour, and a consolidated Investigation card or daily escalation can pre-empt per-alert emails.

See How an alert flows through Burrow for the full email-decision chain.

See also

Need help? support@smikar.com.

Previous
Pulling Activity History for HR or Legal
Next
Custom Rules

More in Squirrel

See all pages →
Custom Rules
Dismissal Auto-Suppress (Tier 2)
Entity Exceptions - Silencing Service-Account Noise
Internal Domains - Auto-Learned and Manual Override
Postures, Overrides, and Disabled Rules
Recovering from an Audit Collection Outage