Skip to content
SmiKar Software

Burrow Glossary

6 min read

This page defines every product-specific term you'll see across the Burrow dashboard, emails, and documentation. Bookmark it.

Products

  • Burrow — Squirrel's security monitoring and audit product. Pulls Microsoft 365 audit data, runs it through a rules engine plus UEBA (user-and-entity behavioural analytics), and surfaces alerts in the dashboard.
  • Forage — the cross-entity activity search tool inside the Burrow dashboard. Answers "what did this user do" questions over the audit data Burrow has collected.
  • Squirrel — Smikar's umbrella product family. Includes Burrow, Forage, and the separate file-archive product.
  • Smikar — the company that builds Squirrel.

Detection concepts

  • Rule — a deterministic check (e.g. "downloaded more than the configured bytes-and-files threshold within this detection window"). Each rule has a category, a severity, and a MITRE ATT&CK technique ID.
  • Rule category — short identifier on every alert (ransomware_signature, mass_deletion, data_exfiltration_high, and so on). Each category corresponds to one rule. See the rule catalog for the full list.
  • UEBA family — rules that compare a user's current behaviour against their own historical baseline or against their peer group. Includes behavioral_deviation, peer_group_deviation, intraday_velocity_burst, unusual_hour_activity, and others.
  • Detection posture — preset of how aggressively the detection engine should fire. Five postures ship: Permissive, Relaxed, Balanced (default), Strict, Paranoid. Set on the Rules page; thresholds for every rule re-compute against the selected posture.
  • Per-rule override — an operator-edited threshold for a single rule that wins over the posture preset.
  • Entity exception — an operator-defined "for this user pattern, in this category, suppress or downgrade" rule. Used to silence noise from service accounts without disabling rules globally.
  • Disabled rule — a rule globally turned off so no alerts are ever generated for it. Heavier than an exception; use sparingly.
  • Disposition — the operator's verdict on an alert: real, not real, or maybe. Drives the dashboard's triage donut and Burrow's email-suppression logic.
  • AI verdict — Burrow's own initial verdict on whether an alert is real, produced by the AI triage step before the operator sees it. Same shape as a disposition. When the AI verdict is "not real", per-alert emails are skipped by default.

AI narration

  • AI narration — the AI-written prose that turns deterministic facts into readable summaries on alerts, investigations, the weekly briefing, and identity profiles.
  • AI safety check — the verifier built into every AI step that catches the AI inventing numbers or names not present in the source data. If anything is invented, the AI output is rejected and a plain template is used instead, so an analyst never reads fabricated facts.
  • Profile narrative — the 2–4 sentence AI summary of a user's typical behaviour on the Identity dossier. Generated periodically and refreshed automatically.

Data concepts

  • Alert — one detection. Has a category, severity, evidence object, MITRE technique ID, and (after the AI triage step) a verdict.
  • Identity — a user, service account, or app Burrow has observed. Each identity carries a decayed risk score, an alert history, and a behavioural profile.
  • Investigation — a cluster of related alerts on the same identity within a short window, automatically grouped and AI-narrated as an attack-chain story. The left navigation labels this page Cases; the page heading is Investigations — both refer to the same thing.
  • Daily-pattern escalation — a per-identity-per-day meta-alert emitted when the day's cumulative alert score crosses a threshold. Reads as one "this user had a bad day" summary in place of many raw alerts.
  • Cold storage — Azure Blob container in your tenant holding audit data older than the on-disk retention window. Operator-rehydratable on demand from the Forage page's Cold Storage panel.
  • Rehydrate — pull cold-storage data back into a local cache so Forage can query it. Cached for 24 hours then auto-purged.

Email types

Burrow sends four kinds of email. See Email types Burrow sends for the full breakdown.

  • Per-alert email — one alert that wasn't suppressed and wasn't covered by a higher-tier card. Contains the AI narrative, key metrics, and top evidence.
  • Daily escalation summary — one consolidated "this user had a bad day" email per affected identity, sent when the daily-pattern escalation rule fires.
  • Consolidated incident card — one email per Investigation, replacing what would otherwise be multiple per-alert emails for the same cluster.
  • Weekly executive briefing — Monday morning summary of the week's signal: alert volume, week-over-week change, top concerns, recommended actions.

Severity

  • Critical — assume bad until proven otherwise. Ransomware signature, mass deletion, audit tampering.
  • High — likely bad, investigate today. Most data-exfiltration patterns and anomalous sign-ins.
  • Medium — worth a look. UEBA deviations of moderate magnitude.
  • Low — informational. Captured for forensics, not actively prosecuted.
  • Info — purely audit; never wakes anyone.

MITRE

Every Burrow alert is tagged with a MITRE ATT&CK technique ID (T1486 Data Encrypted for Impact, T1078 Valid Accounts, T1567.002 Exfiltration to Cloud Storage, and so on). MITRE is the industry-standard adversary-technique taxonomy — the same vocabulary Microsoft Defender, Sentinel, and CrowdStrike use. The Top MITRE tab on the Burrow home page shows which techniques are most active in your tenant.

Other dashboard vocabulary

  • Lookback window — how far back the dashboard's "current" view extends. Configurable per page.
  • Cooldown — Burrow suppresses duplicate alerts for the same user-and-category pair within the same hour, so a noisy entity doesn't flood the inbox.
  • Sensitive sites — operator-pinned SharePoint URL patterns whose activity bumps alert severity one tier.
  • Sensitive labels — Microsoft Information Protection labels Burrow treats as confidential.
  • Sensitive keywords — substring patterns that, if seen in SharePoint search queries, trigger a dedicated rule.
  • Internal domains — the list of email domains Burrow treats as "your organisation" for internal-vs-external sharing classification. Auto-learned from observed activity; an operator can pin or exclude entries manually.
  • Suppression journal — the queryable log inside Settings of every alert Burrow chose not to email, with the reason for each.

Need help? support@smikar.com.

Previous
Burrow First-Week Onboarding Checklist
Next
Quick Tour of the Burrow Dashboard

More in Squirrel

See all pages →
Quick Tour of the Burrow Dashboard
Who Uses What — Burrow Personas
Auditing the AI's Dismissed Alerts
Cold Storage Rehydrate
Dispositions - What Your Not Real Click Actually Does
Forage 101 - Searching Cross-Entity Activity