Quick Tour of the Burrow Dashboard

6 min read

The Burrow dashboard groups its features into 16 pages reached from the left navigation. This tour walks each one briefly so you know where to look next time a question comes up.

Burrow (home page)

The SOC overview. Three KPI donuts side by side:

Severity breakdown — critical / high / medium / low alert counts in the current lookback window.
Disposition breakdown — open, acknowledged, investigating, dismissed.
Risk-band donut — how many identities sit in each risk band.

Below the donuts, a Trend chart shows daily alert counts, severity-stacked, over the last 7, 30, or 90 days. A Top items card switches between four tabs: Top entities, At-risk entities, Top categories, Top MITRE.

Clicking any donut slice or top-item row navigates to the Alerts page pre-filtered to that selection.

Alerts

The day-to-day SOC list. Every detection in the current lookback window, filterable by severity band, category, whether it already has a disposition, entity, or time range. A + AI-dismissed chip on the severity row lets you bypass the auto-filter for spot-audit; off by default.

Status filter tabs at the top of the list: All / Active / Open / Acknowledged / Investigating / Escalated / Resolved / Dismissed. The default is Active = "needs my attention right now". Active excludes alerts you have explicitly Resolved or Dismissed AND alerts the Triage AI judged not real — unless you have overridden the AI with Acknowledged / Investigating / Escalated (operator override always wins).

AI-dismissed alerts are not lost. They appear under the Dismissed tab alongside operator-dismissed ones. The visual difference: operator-dismissed rows show "Dismissed" in the inline status select; AI-dismissed rows show an empty status select plus the AI · NO verdict badge.

Per-row icons on every row: inline status select, link-to-case, Suppress pair (creates an entity exception silencing future alerts of this user + category), Downgrade pair (future alerts of this pair drop one severity tier). See Suppress and Downgrade pair actions for details.

A bulk-action bar appears when rows are selected. Click any row to open the right-side drill drawer with full evidence, the AI "why this matters" narrative, and a per-alert Chat panel for free-form questions.

Identities, Identity dossier, and the entity drill drawer

The Identities page lists every entity Burrow has tracked, ranked by a decayed risk score. Filterable by risk band and humans / apps; full-text search; explicit Search button (no type-as-you-go).

Clicking a row opens the full-page Identity dossier with three tabs:

Profile — AI summary of the user's typical behaviour, stat cards, activity-by-hour histogram, behavioural baseline, top apps / geos / user agents, and an alert summary.
Events — the user's raw event timeline (the same data Forage queries, scoped to this user).
Chat — free-form Q&A with the AI about this entity. Persisted between sessions so the next SOC shift sees prior conversations.

The same dossier also opens as a narrower right-side drawer when you click an entity from the Alerts page, Forage results, or the home page Top items card — handy for triage without losing your place on the list.

Forage

Cross-entity activity search. Type a user, a site, a date range, optionally an op class or a label, and Forage returns the matching audit events. Three aggregate cards above the table (Top users, Top ops, Top sites). CSV export for HR and legal hand-off.

A Cold Storage panel at the top of the page lists audit data offloaded to your Azure Blob storage. Pick an entity and a month range, click Rehydrate, and once the job is READY you can search those months with one click.

Investigations and Investigation detail

The Investigations page (labelled Cases in the left navigation) lists clusters of related alerts on the same entity within a short window. Each cluster is auto-narrated by AI as an attack-chain summary, replacing what would otherwise be multiple raw alert emails.

Clicking a cluster opens the Investigation detail page — header with status (Acknowledged, Investigating, Resolved, Dismissed) and assignee, the AI attack-chain narrative, a chronological timeline of constituent alerts, and an append-only notes area for analyst commentary.

Rules

Where you tune the detection engine. Sections:

Detection posture — single dropdown (Permissive, Relaxed, Balanced, Strict, Paranoid). Sets the noise-and-sensitivity baseline for every rule at once.
Suggestions panel at the top — Burrow proposes specific tuning changes based on your disposition history.
Disabled rules — globally turn a rule off. Heavier than an exception; use sparingly.
Per-rule overrides — for any specific rule, set custom thresholds that win over the posture preset.
Custom rules — operator-defined rules for tenant-specific patterns.

Exceptions

Where you silence noise from known service accounts and other expected-noisy entities. Each entry is a user pattern (with wildcard support) plus a category, an action (suppress or downgrade), and a reason text.

Sensitive sites, Sensitive labels, and Internal domains

Three short pages that tell Burrow which content to treat specially:

Sensitive sites — SharePoint URL patterns whose activity bumps alert severity. Includes a learner-suggested list awaiting your approval.
Sensitive labels — Microsoft Information Protection label rules.
Internal domains — the email-domain list Burrow treats as "your organisation" for internal-vs-external classification. Auto-learned, with manual override and exclude.

Briefing, History, and Rule replay

Briefing — the weekly executive briefing rendered in-app and emailed every Monday.
History — every admin action on the dashboard, with before / after diffs and the analyst's identity attached.
Rule replay — re-run a rule over historical data with new thresholds to preview the effect before committing.

Settings

Tabbed configuration page:

Notifications — email recipients, minimum severity, rules mode, weekly briefing toggle, test-send button.
Tenant — display name shown in email subjects.
Suppression journal viewer — paginated view of every alert Burrow chose not to email, with the reason for each. Filterable by reason.
Diagnostic — system status and cold-storage health.

Where to go next

New to Burrow? See the first-week onboarding checklist.
Match your role to the right workflows: Who uses what.
Unfamiliar word? Glossary.

Need help? support@smikar.com.

← Burrow Glossary

Who Uses What — Burrow Personas →

More in Squirrel

See all pages →

Who Uses What — Burrow Personas

Auditing the AI's Dismissed Alerts

Cold Storage Rehydrate

Dispositions - What Your Not Real Click Actually Does

Forage 101 - Searching Cross-Entity Activity

How an Alert Flows Through Burrow