Skip to content
SmiKar Software

Burrow FAQs

6 min read

Common questions about the Burrow security and audit layer of Squirrel. Each section is a question with a short, practical answer. For deeper detail follow the cross-links.

If I dismiss an alert, does the system stop alerting on it?

Yes, eventually. The Suggestions panel on the Rules page proposes an exception once you have dismissed the same (user, category) pair three times in 14 days; clicking Apply makes the alerts stop. If you opt in to the Dismissal auto-suppress feature (off by default), Burrow applies the pattern itself after three dismissals without waiting for you to click Apply.

The first dismissal on its own does not silence anything. Use it as your vote — Burrow watches for the pattern across multiple dismissals before proposing (or applying) the silencing.

Where did my AI-dismissed alerts go?

The Active tab now excludes alerts the AI judged as not real, to keep your work queue focused on what actually needs attention. They are still fully queryable — switch to the Dismissed tab to see them alongside the alerts you have manually dismissed.

The two kinds are visually distinct on the row:

  • AI-dismissed — empty status select plus the AI · NO verdict badge.
  • Operator-dismissed — "Dismissed" shown in the status select.

The operator override always wins. If you set Acknowledged / Investigating / Escalated on an AI-dismissed alert, it leaves the Dismissed tab and stays visible under the tab matching that disposition until you close it yourself.

I added an exception but still got an email — why?

Entity exceptions take effect on the next detection pass after you save them, typically within a minute. If you saved the exception just before an alert fired, the alert may have been in the pipeline before the exception was loaded.

For alerts that arrived after the exception was saved and STILL emailed:

  1. Check the user pattern. Wildcards are case-insensitive but partial matches need a * on either side if the substring is anywhere other than at the start or end. For example, the pattern app@sharepoint* matches app@sharepoint-abc but sharepoint* alone does not match app@sharepoint-abc because the substring is not at the start of the UPN.
  2. Check the category. If your exception specified one specific category, only that category is suppressed. To silence all alerts from the user, set Category to *.
  3. Check the action. If the action is Downgrade rather than Suppress, the alert is still emitted with reduced severity — and emails for the reduced severity may still pass your Minimum severity gate.
  4. Check the suppression journal in Settings. If the alert was suppressed by something other than the exception, the journal entry shows why. If the journal shows the exception fired but you still got the email, raise a support ticket.

Top MITRE shows "No data" — is that broken?

Probably not. Two common reasons:

  • No MITRE-tagged alerts have fired in the current lookback window. The default window is 24 hours; widen it (e.g. to 7 days) to see longer-range data. The home page lookback selector is at the top of the tile.
  • The lookback window is correct but your tenant has been genuinely quiet. No data on Top MITRE in a quiet week is a healthy signal — it means no adversary techniques are currently active.

If the Top MITRE tab shows "No data" but the Severity donut shows alert counts in the same window, the absence is unexpected — raise a support ticket.

Cold storage rehydrate is stuck in FETCHING — what now?

Most rehydrates complete within 30 seconds to 5 minutes depending on the entity's activity volume. A job stuck in FETCHING for longer than 30 minutes usually means one of:

  • The cold-storage worker is busy with a larger job ahead of yours. Check the All jobs list on the Cold Storage panel for other in-progress rehydrates. The worker processes jobs one at a time.
  • Network or storage transient issue. Wait 10 more minutes. If the state has not changed, click delete on the stuck row and resubmit the job.
  • The entity has more historical data than expected. A single user with months of high activity can take 15+ minutes for a multi-month rehydrate. Patience for this case.

If a resubmitted job also gets stuck, raise a support ticket with the entity, the month range, and the job state.

How long does Burrow keep audit data?

Two retention horizons:

  • On-disk (queryable instantly in Forage): roughly the last 14 days.
  • Cold storage (in your Azure Blob, rehydratable on demand): essentially indefinite — bounded only by your Azure storage budget.

Audit data is auto-moved from on-disk to cold storage after about 14 days. The on-disk copy is removed at that point. To search older data, rehydrate the relevant months from cold storage first.

For practical purposes, Burrow keeps your audit history forever unless you choose to delete cold-storage data manually. The retention is governed by your storage account — Burrow does not enforce any deletion policy of its own.

Does Burrow log when I dismiss an alert?

Yes. Every disposition click (Real / Not real / Maybe) is recorded in two places:

  1. The History page — append-only, shows your analyst identity, timestamp, the alert key, and the before / after disposition.
  2. The suppression journal — records every per-alert email Burrow then suppressed as a result of dismissal-driven exceptions (whether applied via Suggestion or auto-suppress).

Together these answer "did SOC analyst X actually triage that alert and what did they decide?" with a defensible audit trail.

Can I get the weekly briefing without alert emails?

Yes. On the Settings page → Notifications tab, set:

  • Minimum severity = Critical (so per-alert emails are heavily restricted to only the highest tier).
  • Weekly briefing = on.

The recipient will get the Monday morning executive briefing every week plus any Critical-severity per-alert emails (which are rare). For zero per-alert emails entirely, the Min severity gate would need to be above Critical — which is not a setting — but in practice setting it to Critical filters out essentially everything routine.

The Weekly briefing toggle is independent of the per-alert gate, so this configuration works as expected for management / compliance leads who want the weekly summary but do not want the day-to-day noise.

Need help? support@smikar.com.

Previous
Full Rule Catalog (with MITRE Mapping)
Next
Burrow Release Notes

More in Squirrel

See all pages →
Burrow Release Notes
Features of Squirrel Archiving
Getting Started with Squirrel SharePoint Archiving
Squirrel Administrators Portal
Archive/Restore by Path in Squirrel
How to Archive a Full SharePoint Online Site