Skip to content
SmiKar Software

Email Types Burrow Sends

5 min read

Burrow sends four kinds of email. Knowing which kind you have received — and which kind suppresses which other kind — is the difference between reading the email correctly and getting confused about "why did I get THIS specific email?". This page is the reference.

The four types

1. Per-alert email

When sent: any individual rule fires AND the alert's severity is at or above your Minimum severity gate AND none of the suppression layers (described below) skipped it.

Body contents:

  • AI "why this matters" paragraph (2 to 4 sentences).
  • Key metrics table (deterministic evidence: counts, bytes, distinct files / sites / geographies).
  • Top evidence (a sample of the underlying audit events).
  • Link to the alert in the dashboard.

Subject pattern: [SEVERITY] category_name - user.upn@example.com

2. Consolidated incident card

When sent: the incident correlation engine detects a cluster of related alerts on the same identity within a short window (default at least 3 alerts spanning at least 2 distinct rule families within 30 minutes) AND the cluster's severity is at or above your Minimum severity gate.

Body contents:

  • Header with severity, identity, and time-span of the cluster.
  • AI attack-chain narrative — one paragraph describing the pattern across all constituent alerts.
  • Timeline of the constituent alerts (time, severity, category, summary for each).
  • Link to the Investigation in the dashboard.

Effect on per-alert emails: the per-alert emails for the cluster's constituent alerts are pre-empted. You get ONE email (the incident card) instead of N raw per-alert emails for the same cluster.

3. Daily escalation summary

When sent: when the daily pattern detector scores a user's day and the cumulative score crosses the threshold. Score weights severity, category diversity, time spread, and slope.

Body contents:

  • Header with the user and the day.
  • AI narrative of the day's pattern.
  • Chronological list of constituent alerts for the day.
  • Severity = maximum of constituent severities, bumped one tier.

Effect on per-alert emails: once a daily escalation summary has been sent for a user-day, ALL further per-alert emails for that user for the rest of the day are suppressed (logged in the suppression journal with the dedup reason).

4. Weekly executive briefing

When sent: every Monday morning (around 06:00 local time) to recipients with the Weekly briefing gate enabled.

Body contents:

  • Header tiles (alerts this week, week-over-week change, Critical + High count, active incidents).
  • AI-written 200 to 300 word narrative summarising the week's signal, top concerns, and recommended actions.
  • Top entities table.
  • Top categories table.

Subject pattern: Burrow weekly briefing - [tenant name]

Independent of the per-alert pipeline — a recipient with Minimum severity = Critical (no per-alert emails) still receives the weekly briefing if the Weekly briefing gate is on.

For full detail on the briefing, see Weekly executive briefing.

Suppression layers — the order they apply

A per-alert email is sent only if it passes EVERY one of these checks. Each suppression is recorded in the suppression journal with a specific reason so an auditor can later see why anything was skipped.

  1. Minimum severity floor. If the alert's severity is below your Min severity setting → skip.
  2. Entity exception (Suppress). If the user matches an exception with action=Suppress → skip.
  3. AI verdict not-real. If the AI triage step marked the alert "not real" → skip (default).
  4. Rule-mode exclude list. If your Rules mode is Selected and the category is not on the list → skip.
  5. Cooldown. If the same (user, category) pair already emailed within the last hour → skip.
  6. Daily escalation dedup. If a daily escalation summary has already been sent for this user today → skip every subsequent per-alert email for that user for the rest of the day.
  7. Incident card pre-emption. If this alert is a constituent of an Investigation that the consolidated incident card already covered → skip.

The result of these layers is the email volume reduction you experience day-to-day: 5+ alerts on one user become 1 incident card; 8+ alerts on one user across the day become 1 daily escalation summary; recurring alerts in the same hour get cooldown-suppressed.

What you can configure to change email volume

The fastest levers, in order of effect:

  1. Raise the Minimum severity gate on the Settings page. Going from Medium to High typically cuts per-alert volume by 50%+ in a noisy week.
  2. Add entity exceptions for known-noisy accounts. Each Suppress exception removes that user's alerts from every recipient's inbox.
  3. Tune noisy rules via the Suggestions panel on the Rules page.
  4. Switch Rules mode to Selected if specific categories are noisy. The recipient list then only emails the categories you opt them into.

What is NOT email

A few things you might expect to email but do not:

  • Operator dispositions. When a SOC analyst marks an alert Real / Not real / Maybe, no email goes out. The change is reflected in the dashboard and logged on the History page.
  • Admin configuration changes. When you add an exception, change the posture, or edit a rule, no email goes out. Logged on the History page.
  • Catch-up alerts from an outage. When Burrow comes back from an audit collection outage, it back-fills historical alerts. The historical alerts DO send through the email pipeline subject to all the usual suppression layers — but the cooldown layer often dedups bursts, so you may see fewer emails than the raw alert count.

See also

Need help? support@smikar.com.

Previous
Alert Severity Meanings
Next
Full Rule Catalog (with MITRE Mapping)

More in Squirrel

See all pages →
Full Rule Catalog (with MITRE Mapping)
Burrow FAQs
Burrow Release Notes
Features of Squirrel Archiving
Getting Started with Squirrel SharePoint Archiving
Squirrel Administrators Portal