SharePoint Security Monitoring & Audit AI

Watch SharePoint. Catch the bad. Skip the noise.

Burrow watches every SharePoint audit event in your tenant, flags what matters, and explains why - using AI that reads each alert, confirms the evidence and writes it up in plain English your team can act on.

Your data, your storage. Burrow writes the historical event store and cold-storage archives to your own Azure storage account. Customers retain ownership of the audit history, always. No data hostage.

Alerts your team can read. Burrow's AI validates every alert against its source evidence, then writes it up in plain English with the key numbers, timestamps and MITRE technique called out. Your SOC acts on a clear narrative in seconds, not a raw audit log.

Speaks SOC standard. Every alert tagged with the MITRE ATT&CK technique it represents. Drops into your existing SIEM, your incident-response runbook, your compliance evidence pack with no translation needed.

Book a Burrow demo | Read the Burrow docs

Squirrel's security half: archive what's old, watch what's live.

You already know Squirrel as the SharePoint archiver - inactive documents move to your Azure storage, your bill drops, users don't notice. Burrow is the other half of the same product.

Burrow turns Microsoft 365's audit firehose into a small, accurate, MITRE-tagged alert feed your SOC actually reads. Forage gives every analyst, auditor and HR investigator a single search box that answers any "what did user X do?" question in seconds. One platform, one subscription, two capabilities.

Burrow is a SaaS addon to the Squirrel platform. If you're already a Squirrel customer, activating Burrow is a subscription change - no new install, no new infrastructure for your team to provision.

Read about Squirrel archiving

Features: Everything you need to watch a tenant at scale.

Near-real-time SharePoint detection. Burrow watches every audit event your tenant produces - file downloads, deletions, sharing, permission changes, label tampering - and applies 25+ distinct rules to surface what matters as it happens.

Behavioural baselines per user. Burrow learns what's normal for each person's SharePoint activity - their typical hours, file volume, sites accessed, sharing rate - and flags the moment activity drifts. Catches what fixed-threshold rules miss: the contractor who suddenly downloads 50x their usual volume, the user who starts deleting files in sites they haven't touched in months.

Forage: ask any question, get an answer. Cross-entity activity search across every event your tenant has ever recorded. Type a user, a date range, a file pattern - get every matching event in seconds. Answers HR queries, audit requests and "what happened on Tuesday" in one box. No SQL, no audit-log export, no analyst time.

MITRE-tagged alerts. Every Burrow detection is tagged with the MITRE ATT&CK technique it represents (T1486 Data Encrypted for Impact, T1078 Valid Accounts, T1567.002 Exfiltration to Cloud Storage, and the rest). Speaks the same language as Defender, Sentinel, your SIEM, your IR runbook, your compliance evidence pack.

AI that shows its work. Each alert comes with a plain-English "why this matters" paragraph. Burrow's AI reads the underlying evidence, confirms the key numbers, names and timestamps, then writes them up in a clear narrative your team can act on in seconds.

Incident correlation. When five alerts on one user inside thirty minutes look like an attack chain, Burrow groups them into one incident with one AI-written narrative - not five separate emails. Your on-call gets the story, not the noise.

Cold-storage audit. Audit history offloaded to your Azure storage after 14 days. Rehydrate any user's full activity, any month, with one click when an auditor calls. Retention is limited only by how long you want to keep paying object-storage cost - your storage, your retention policy.

Learns what you dismiss. When your team marks an alert as Not real, Burrow notices. After three dismissals of the same (user, category) pair in 14 days, the Suggestions panel proposes an exception you can apply with one click - the alerts stop firing entirely. Opt in to the more aggressive auto-suppress mode and Burrow stops them on its own after the third dismissal. Need to silence something immediately? One-click Suppress and Downgrade buttons on every alert row create the exception without leaving the page. AI-judged 'not real' alerts auto-hide from the Active queue so your team only sees what needs attention.

See it in action.

The Burrow main dashboard groups alerts by severity, by triage status and by entity risk band. The trend chart tracks alert volume over time as your tuning takes effect.

Burrow dashboard - alerts by severity, alerts by triage status, entities by risk band, and a 7-day alert-volume trend chart

AI you can put in an audit report.

Burrow's AI is built so its alert narratives stand up to compliance review. The detection engine computes the facts first - bytes downloaded, files touched, sites accessed, MITRE technique. The AI reads those facts and writes them up as clear, readable prose. Before any alert leaves the system, a verification step confirms every number, name and timestamp in the narrative matches the source evidence.

The result: AI-written alert narratives your team can read fast and your auditor can quote. Every claim in every alert traces back to a number Burrow can show you on the dashboard.

Read the deep dive on wiki.smikar.com | Book a walkthrough

How Burrow works: Three moving parts. One subscription.

Burrow is a SaaS addon to the Squirrel platform. Activating it adds the detection and Forage search capability to your existing Squirrel subscription. Three steps from consent to alerts.

Step 1: Connect.

One Azure AD app consent grants Burrow read-only access to your SharePoint audit data. No agents on user devices. No changes to your tenant. The historical record stays in your own Azure storage.

Step 2: Tune.

Pick a detection posture - Permissive, Relaxed, Balanced, Strict, Paranoid. One dropdown, every rule auto-configured. Or open the Rules page and tune any individual rule yourself - sensitivity, thresholds, scope. Add entity exceptions for your known service accounts. The system runs from minute one.

Step 3: Use.

Open the dashboard. Read the alerts, investigate via the identity dossier and the Forage activity search, mark dispositions. When you dismiss the same alert pattern 3+ times in two weeks, the Suggestions panel proposes the exception that stops it firing. Apply the suggestion, or opt in to the auto-suppress mode and Burrow applies the pattern itself.

What Burrow catches.

Three scenarios the product is built for, in plain English:

Ransomware in motion. When a compromised account starts encrypting files across many sites at once, Burrow's ransomware-signature rule fires as soon as the encrypt-in-place pattern appears. The alert reaches the email recipients you nominated before the encryption finishes - early enough to isolate the account and restore the affected files from Squirrel's archive.

Audit and HR queries in seconds. When an auditor or HR investigator asks "show me every file user X accessed in the 30 days before they left," Forage answers in seconds. Type the user, set the date range, click Search. CSV downloaded for the audit pack in under a minute - no audit-log export, no Excel pivots, no analyst time.

SOC alert noise. When a noisy environment fires too many alerts to triage, Burrow's Suggestions panel surfaces tuning candidates as patterns emerge - sites that should be marked sensitive, service accounts producing repeat false positives, rules worth recalibrating. One-click apply when you agree. The system adapts to your environment over time.

FAQ: Questions, answered.

Where does my audit history live?

Burrow writes the historical event store and cold-storage archives to your own Azure storage account. Customers retain ownership of the audit history - you can read it, export it, audit it, or migrate it without SmiKar's involvement.

What does deployment look like?

Burrow is operated by SmiKar as part of the Squirrel platform. A one-time Azure AD app consent connects Burrow to your Microsoft 365 tenant. No agents on user devices, no infrastructure for your team to provision, no install.

Will it slow down our SharePoint?

No. Burrow reads from Microsoft's audit data, not from SharePoint itself. Users see and feel nothing. The detection runs in parallel to your tenant. If Burrow stops, SharePoint keeps working.

How much noise should we expect?

Volume depends heavily on tenant size, activity patterns, and posture. The initial weeks generate the most alerts (the system has no baseline yet, exceptions aren't tuned). The Suggestions panel surfaces refinements as patterns emerge. Most teams see substantial reductions through the first month of tuning. We'll publish measured ranges as customer data accumulates.

What about compliance? Audit trail? Evidence quality?

Every admin action in Burrow (rule changes, exception adds, alert dispositions) is logged with timestamp, actor, and before-and-after state. Every suppression decision is journaled. Every AI-written alert has its source evidence preserved on disk for the lifetime of the alert. Alert evidence is admissible - the deterministic rule output is the source of truth, the AI prose is descriptive only.

How are alerts delivered?

Burrow sends email alerts to the addresses you nominate. Configure who receives which severity in the Settings page of the Burrow dashboard. Alerts arrive with the AI-narrated context, the MITRE tag, and a link back into the dashboard for the full evidence chain.

What if we already have Squirrel?

Burrow is a SaaS addon to the Squirrel platform. Activating it adds the detection and Forage search capability to your existing Squirrel subscription. Speak to your SmiKar account contact.