Identity Report and Log Export
4 min read
Every identity page in Burrow carries two export actions in the header — Report and Logs — for handing an account off to HR, legal, or an auditor. One is a polished narrative for a human reader; the other is the raw evidence trail. Use them together when you need to both explain and prove what an account did.
Report — the AI-written activity report
Click Report and Burrow opens a polished, printable activity report in a new tab. It is written by the AI but grounded strictly in that account's real figures — the model can only use the numbers it is given, so it cannot invent events or inflate counts.
The report is laid out as a designed document:
- Cover with the account and the reporting period.
- Executive summary — a few sentences on who this account is and what the period looked like.
- Activity overview — downloads, uploads, shares, deletions, and the like.
- Alerts and risk — what fired, and how it nets out.
- Assessment — a plain-language read on whether the activity warrants concern.
- Supporting visuals: a KPI bar, an activity-by-hour sparkline, an activity grid, and an alert table.
It takes roughly 15 to 20 seconds to generate, because it is a live AI call. If the AI is briefly unavailable, the report falls back to the account's stored behavioural narrative and investigation notes so you still get a usable document.
If the account is currently on the Watchlist, the report carries a WATCHED banner so the reader knows it was produced under heightened monitoring.
Print-to-PDF or save the tab to attach the report to an HR case, a legal hold, or a compliance pack.
Logs — the raw evidence export
Click Logs to download the account's raw audit event log, verbatim, as a file:
- CSV — the default. Opens in Excel or any spreadsheet tool. Columns cover the timestamp, operation, user, filename, site, source IP, geography, user agent, application, file size, target, and sensitivity label.
- JSONL — newline-delimited JSON, the raw records unmodified. Use this when you need the exact source data for a downstream tool or for strict chain-of-custody.
Where the Report is the human-readable narrative, the Logs export is the underlying proof — the verbatim Microsoft 365 records behind every line of the report. An auditor who wants to verify a claim in the report can reconcile it against the log.
When to use which
- Report — when someone (a manager, an HR lead, a compliance officer) needs to understand an account's activity without reading raw audit data.
- Logs — when someone needs to verify the activity, or when a legal / eDiscovery process requires the original records as evidence.
- Both — the normal hand-off: the Report explains, the Logs prove.
How it pairs with the Watchlist
When you put a departing employee or a flagged account under heightened monitoring, the daily digest email is the same AI report described here, sent automatically once a day. The Report and Logs buttons let you pull the same material on demand at any point during the watch — for example when HR asks for an interim summary, or when an incident escalates and legal wants the raw log.
See also
- Watchlist: heightened monitoring — where the daily digest version of this report comes from.
- Using the Identity dossier — the in-dashboard view of the same account.
- Forage — for cross-entity searches when one account's log is not enough.
- The investigation digest — the deterministic "what actually happened" reconstruction the report builds on.
Need help? support@smikar.com.