Skip to content
SmiKar Software

Sensitive Sites, Labels, and Keywords

4 min read

Burrow treats most activity equally by default. Three lists let you tell Burrow which content matters more — and have alerts on that content fire harder. This article covers the three lists, how each affects detection, and how the auto-learner suggestions work.

The three lists

Sensitive sites

SharePoint site URL patterns whose activity bumps alert severity one tier when matched. Example: an unusual_hour_activity alert that would normally be Medium becomes High if the activity touched a sensitive site.

Sensitive labels

Microsoft Information Protection (MIP) labels that Burrow treats as confidential. Detections involving labelled files get tracked separately and can trigger label-aware rules (e.g. "Confidential-labelled file accessed from cross-geo").

Sensitive keywords

Substring patterns that, if seen in SharePoint search queries, trigger a dedicated sensitive_search_high rule. Examples: "password", "credential", "M&A", "acquisition", "termination."

How sensitive sites work

Adding a site manually

  1. Open the Burrow dashboard → Sensitive sites in the left navigation.
  2. Click Add pattern.
  3. Enter a SharePoint URL substring. Common patterns:
    • /sites/Finance/
    • /sites/HR/
    • /sites/Legal/
    • /sites/Board/
  4. Save.

From the next detection pass, any alert on activity touching a matching site has its severity bumped one tier and gets a sev_bumped=true flag on the alert's evidence with the matched pattern as the bump reason.

The auto-learner

Burrow also watches for sites that have hosted labelled-file activity in the lookback window and surfaces them as suggested sensitive sites. Each suggestion has three buttons on the Sensitive sites page:

  • Approve — adds the pattern to the active sensitive list.
  • Ignore — dismisses the suggestion for now; it may re-surface if activity continues.
  • Tombstone — permanently blocks re-suggestion of that pattern. Use this for sites the learner over-suggests.

The learner is conservative — it only suggests sites with confirmed labelled-file activity, not "any site lots of people use." Most suggestions are worth approving.

How sensitive labels work

Configuring label rules

  1. Open the dashboard → Sensitive labels in the left navigation.
  2. The top section lists every sensitivity label seen in your tenant (label name + GUID). Click Refresh from Microsoft to re-pull the catalog from Microsoft Graph if a new label has been added recently.
  3. Below the catalog, the Label rules list shows custom label-aware detection rules. Each rule maps a label + condition to an alert category and severity.

Adding a label rule

Click Add label rule and fill in:

  • Label — pick from your tenant's catalog (e.g. "Confidential").
  • Condition — e.g. "downloaded from cross-geo", "accessed from unmanaged device", "shared externally".
  • Alert category — what category name the resulting alerts carry (e.g. confidential_cross_geo).
  • Severity — Critical / High / Medium based on operator response wanted.

When the condition is met for a file carrying that label, Burrow generates an alert in the named category. These are tenant-specific detections that complement the built-in rule catalog.

How sensitive keywords work

Where the list lives

The keywords list is at the top of the Rules page, not on its own page. It is a simple list of substring patterns.

Adding keywords

  1. Open the Rules page → expand the Sensitive keywords section.
  2. Click Add keyword.
  3. Enter a substring pattern. Case-insensitive, matches anywhere in a SharePoint search query.
  4. Save.

When a user runs a SharePoint search containing the pattern, the sensitive_search_high rule fires with the matched keyword(s) as evidence. The actual query string is preserved in the alert.

What kinds of keywords work well

  • Sensitive document types: "password", "credential", "API key", "secret".
  • Corporate-confidential topics: "M&A", "acquisition", "merger", "due diligence".
  • HR-sensitive topics: "termination", "redundancy", "performance plan", "salary".
  • Project codenames specific to your tenant.

Avoid generic terms ("report", "presentation") — they generate too much noise to be useful.

A typical day-1 setup

For most tenants, the right starting point is:

  1. Sensitive sites: add /sites/Finance/, /sites/HR/, /sites/Legal/, plus any board / executive sites.
  2. Sensitive labels: if your tenant uses MIP, confirm the Sensitive labels page shows your Confidential, Restricted, and similar labels. Add a label rule for "Confidential downloaded cross-geo" as a starter detection.
  3. Sensitive keywords: add 5 to 10 high-signal terms specific to your business — codenames, M&A activity terms, HR-sensitive topics.

Revisit the auto-learner's Sensitive sites suggestions weekly for the first month, then monthly thereafter.

See also

  • Internal domains — the parallel list for external-vs-internal sharing classification.
  • Custom rules — for more complex tenant-specific patterns.
  • Rule catalog — the built-in rules these lists modify.

Need help? support@smikar.com.

Previous
Rule Replay - Re-evaluating Rules Over Historical Data
Next
Suppress and Downgrade Pair Actions (Alerts page)

More in Squirrel

See all pages →
Suppress and Downgrade Pair Actions (Alerts page)
Tuning a Noisy Rule (with the Suggestions Panel)
Weekly Executive Briefing
Alert Severity Meanings
Email Types Burrow Sends
Full Rule Catalog (with MITRE Mapping)