Skip to content
SmiKar Software

Watchlist: Heightened Monitoring of Specific Users

5 min read

The Watchlist is an operator-managed list of specific users you want under elevated scrutiny for a bounded time. The classic use is a departing employee on notice — the single biggest insider-exfiltration window — but it also fits performance-managed staff, privileged accounts (admins, finance, execs), post-incident follow-up, and time-boxed contractor watching.

Two different "watchlists" — do not confuse them. This article is about the operator-managed heightened-monitoring Watchlist (the one you add users to, reached from the main navigation → Watchlist). That is a completely separate thing from the at-risk / top-risk entities panel on the home page, which Burrow computes automatically from risk scores. This page is only about the one you manage by hand.

What "watching" a user actually does

A watched user still generates hundreds of ordinary events a day. Watching them is not an "alert on everything" firehose — it changes how their signals are treated, not how much they are alerted on:

  • Their alerts surface. The noise gates and the corroboration model that would normally quiet a lone behavioural signal are bypassed for a watched user. Their alerts are un-demoted and floored to at least medium so they clear the email threshold. A genuine primary-threat alert (data exfiltration, mass deletion, external share of labelled content) on a watched user with real-time notify is floored to high.
  • You get a daily digest. Once per day, a "here is everything this user did today" activity report — the same AI-written report as the Report button — is emailed to a configurable address.
  • It is time-boxed and audited. Each watch carries a reason, an owner (whoever set it), and an expiry (default 30 days). It auto-expires so the list self-cleans, and every watch / un-watch is written to an append-only audit trail.

Importantly, watching only ever raises attention on the explicit watched set. It cannot suppress anyone, so the effect is contained and safe — and it does not re-inflate genuine benign-shape false positives (an Office-Online document open is still not exfiltration; the daily digest captures that activity anyway).

Watching a user

  1. Open the user in Identities and go to their identity page.
  2. Click Watch in the header.
  3. You are asked for two things:
    • Reason — e.g. "resignation — last day 2026-07-29". This shows on hover and in the audit trail.
    • Digest email — where this user's daily activity report is sent. Leave it blank to use just the standard notification recipients.
  4. A 30-day expiry is set by default.

The header then shows a WATCHED badge (reason on hover) and the button turns amber and reads Watching. Click it again at any time to stop watching.

The management view

Main navigation → Watchlist gives you one screen for everyone under watch:

  • Active table — user (click through to their identity page), reason, who added it, a live expiry countdown, the Digest to email (click to change it), and a Remove button.
  • Expired watches — listed separately. Kept on file as evidence; never auto-deleted.
  • Audit trail — the full watch / un-watch history: when, the action, the user, who did it, and the reason. This answers "who decided to watch whom" and, just as importantly, "did anyone quietly un-watch someone right before they left."

Where the alerts and the digest go

Two separate channels:

  • Individual alerts. Once watching has surfaced a watched user's alert, it emails to your standard notification recipients — the same list as every other alert. Watching makes the alert surface; it does not reroute it.
  • Daily digest. The once-a-day activity report goes to the watch's configured digest email (plus the notification recipients). This is the proactive "what did they do today" report you set up when you started watching.

Expiry and cleanup

The watch auto-expires on its date — no cleanup needed. The expired entry stays on file (in the Expired section) as evidence that the watch existed and when it ended. To end a watch sooner, click Watching on the identity page, or Remove in the management view. Either way the action is written to the audit trail.

Worked example: watch a departing employee

  1. HR flags a resignation with a leaving date. Open that user in Identities → their identity page.
  2. Click Watch. Enter a reason ("resignation — last day 2026-07-29") and the digest email — your own inbox, or a shared SOC / HR address. The 30-day expiry covers the notice period.
  3. From now until it expires: their alerts are surfaced (un-demoted, floored so they email), and a daily "what did they do today" AI report lands in the digest inbox.
  4. Review their activity anytime from their identity page: Report for the AI summary, Logs for the raw CSV evidence. See Identity report and log export.
  5. Manage everyone under watch from main navigation → Watchlist: change a digest email, remove a watch early, or review the audit trail.
  6. The watch auto-expires on its date. To end it sooner, click Watching on the identity page.

See also


Need help? support@smikar.com.

More in Squirrel

See all pages →