Skip to content
SmiKar Software

Internal Domains - Auto-Learned and Manual Override

4 min read

Burrow needs to know which email domains belong to your organisation so it can classify shares correctly. A share to partner.com is "external" only if partner.com is not in your internal-domains list. This article covers how the list is populated, how to override the auto-learner, and the effect on detection.

What "internal" means to Burrow

When Burrow sees a sharing event in a SharePoint audit record, it asks: is the recipient's email domain on the internal-domains list?

  • Yes (internal) — the share is classified as internal. Alerts about external sharing do not fire on it. Identity dossier profiles do not call the recipient a "guest".
  • No (external) — the share counts toward external_shares in the user's per-window counters and feeds external-sharing detection rules.

Getting the list right matters because it directly controls how much external-sharing noise you see.

Where the list lives

  1. Open the Burrow dashboard → Internal domains in the left navigation.

The page has four sections:

  • Promoted domains — domains in active use (Burrow has seen them in audit records often enough to auto-promote). Each row shows the domain, the source (learned or manual), when Burrow first saw it, and a count of how many detection passes have observed it.
  • Suggested domains — domains Burrow has seen but not yet reached the auto-promotion threshold. Each suggestion has a Promote button.
  • Manual add — input field for force-promoting a domain you know is internal even if Burrow has not seen it yet.
  • Manual exclude — for marking a learner-promoted domain as "actually NOT internal" so it does not contribute to internal classification.

How the auto-learner works

Every detection pass, Burrow looks at the UPNs of non-Guest actors in the audit records. When a domain appears in audit records across several distinct detection passes, the auto-learner promotes it to internal. The threshold is conservative — single-detection-pass appearances do not promote, only sustained activity does.

This avoids false promotions from one-off events (a user who logged in once from a contractor domain, etc.).

When to use manual add

Use Manual add when:

  • A new internal domain has just been added to your tenant (e.g. company merger, new subsidiary) and you want to promote it immediately rather than wait for the learner.
  • A subsidiary or sister-company domain is technically separate but should be treated as internal for sharing purposes.
  • The learner is taking too long — usually only relevant for low-activity domains.

Fill in the domain, click Add. Source is set to manual, which means the auto-learner cannot demote it.

When to use manual exclude

Use Manual exclude when:

  • The learner has wrongly promoted a domain. For example, a contractor domain that several internal users accidentally cc'd in audit-relevant operations. The activity looked internal-shaped but the domain should not be treated as internal for share classification.
  • A vendor domain with high-volume legitimate interaction is being treated as internal, masking real external-sharing signal.

To exclude, find the row in Promoted domains, click Override, set source to manual_excluded. Future detection passes treat it as external and the auto-learner will not re-promote it.

What changes after an edit

The Internal domains list reloads on the next detection pass (within around 10 minutes). New external-share alerts use the updated list. Old alerts already emitted are not re-classified — the list change is forward-looking.

Every change is logged on the History page with timestamp, operator identity, and before / after state.

A typical day-1 review

When you stand up Burrow, the auto-learner needs a few detection cycles to populate the list. On day 1 to 7:

  1. Visit the Internal domains page each day.
  2. Approve any suggested domains that are clearly internal (your primary @yourcompany.com, any subsidiary domains in active use).
  3. Manually add any internal domains you know about but have not appeared in audit yet (low-activity subsidiaries, etc.).
  4. Exclude any learner-promoted domains that are not actually internal.

After the first week, the list usually stabilises with periodic suggestion reviews.

See also

Need help? support@smikar.com.

Previous
Entity Exceptions - Silencing Service-Account Noise
Next
Postures, Overrides, and Disabled Rules

More in Squirrel

See all pages →
Postures, Overrides, and Disabled Rules
Recovering from an Audit Collection Outage
Rule Replay - Re-evaluating Rules Over Historical Data
Sensitive Sites, Labels, and Keywords
Suppress and Downgrade Pair Actions (Alerts page)
Tuning a Noisy Rule (with the Suggestions Panel)