Burrow First-Week Onboarding Checklist

A typical "stand up Burrow" reading and configuration order for your first week. Aimed at the admin or SOC lead who owns the deployment.

Burrow is fully managed by Smikar — the service is live on day one with the Balanced detection posture (default), the Entra ID security app consented, and your audit data flowing. The work in this checklist is about tuning Burrow to your tenant and onboarding your team.

Day 1 — Orient

1. Read What is Burrow? for the product overview.
2. Read Quick tour of the dashboard to learn the surfaces.
3. Read Who uses what so the right team members start with the right pages.
4. Skim the Glossary — you don't need to memorise it, just know it exists.
5. Log into the Burrow dashboard for the first time. Confirm you land on the home page and see alert counts populating. If counts remain at zero after a few hours, raise a support ticket.

Day 2 — Configure email recipients

1. Open the Settings page → Notifications tab.
2. Add the email addresses that should receive alerts and the weekly executive briefing.
3. Set the three gates:
   • Minimum severity — start with Medium. Tighten to High later if volume is too much.
   • Rules mode — All initially so you see everything; switch to Selected once you know which categories matter most.
   • Weekly briefing — leave on so recipients receive the Monday executive summary.
4. Save. Burrow picks up the changes within a minute.

Day 3 — Tag your sensitive content

Burrow doesn't know which SharePoint sites or labels matter to you until you tell it.

1. Open the Sensitive sites page and add URL patterns for your most sensitive site collections — HR, Finance, board, legal, customer data. Activity on these sites bumps alert severity one tier.
2. Open the Sensitive keywords list (top of the Rules page) and add a few high-signal search terms — "acquisition", "termination", "salary", "M&A", whatever fits. A user searching for these phrases in SharePoint triggers a dedicated rule.
3. If your tenant uses Microsoft Information Protection labels, confirm the Sensitive labels page reflects the labels you treat as confidential.

Day 4 — Bring your team on

1. Send the SOC team Investigating an alert, Reading the evidence box, and Using the Identity dossier.
2. Send your compliance / audit lead Pulling activity history for HR or legal and Exporting the suppression journal.
3. Walk one alert end-to-end with the SOC team using the canonical investigation workflow. Most teams pick up the rhythm after two or three alerts.

Day 5 — First tuning pass

Expect Burrow to be slightly noisy in the first week as it learns your tenant's behaviour and as service accounts that should be silent show up as alerting entities.

1. Open the Exceptions page and add suppress entries for known service accounts. Common patterns: app@sharepoint*, SHAREPOINT\system, and any vendor or scanner accounts you know about. See Entity exceptions for the wildcard syntax.
2. Open the Rules page and read the Suggestions panel at the top. Burrow proposes specific tuning changes based on which alerts your team has been dismissing. Apply the ones that match your environment.
3. Keep the detection posture at Balanced for now. Most tenants find Balanced is the right starting point and only need per-rule overrides for a small number of categories.

End of week — Review

• Check the Weekly briefing on Monday morning. Reads as an executive-style summary of the week's signal.
• Open the History page and review the admin actions your team has taken — a clean trail of who tuned what.
• Adjust on what you saw. Too much noise → tighten min-severity or add more exceptions. Too little signal → tighten the posture to Strict briefly and see what surfaces.

Where to go from here

• Tuning a noisy rule for week-two refinements.
• Custom rules when an out-of-the-box rule doesn't match a pattern you care about.
• Rule replay when you want to see what a rule change would have done over historical data, without waiting for new events.

Need help? support@smikar.com.