Skip to main content

Alerts

Alerts are the actionable output of Surface Security. While Events record everything the extension fleet observes, an alert is raised only when something needs a human decision: a suspected phishing page, a reused or breached password, a risky browser extension, a clipboard hijack attempt. Every alert carries a severity, a status, and the evidence needed to triage it.

The Alerts page (Dashboard > Alerts) is the working queue; each row opens a detail page with full evidence and triage actions. Two settings pages control how alerts behave: Alert Severity Settings (per-type severity overrides) and Alert Notifications (email and webhook delivery).

How it works

Detections from the browser extension and server-side analysis are turned into alerts with a default severity per alert type (see the table below). Depending on the matching policy, the triggering action may have been Blocked, Warned, or just Logged — the alert records which. Alerts then move through a simple triage lifecycle:

StatusMeaning
NewNobody has looked at it yet
AcknowledgedAn admin has seen it and taken ownership of follow-up
InvestigatingActively being worked (grouped with acknowledged in filters)
ResolvedClosed with a resolution type of True Positive or Testing
False PositiveClosed as a false positive

Severity communicates urgency: Critical requires immediate action, High needs urgent attention, Medium should be reviewed soon, and Low is for awareness and tracking.

Alert types

These are the alert types Surface Security can raise, with their default severities. Defaults can be changed per type in Alert Severity Settings.

Alert typeDefault severityWhat it means
Phishing SuspectedHighPotential phishing site detected
Phishing Reported by UserHighA user manually reported a site as phishing
AiTM Attack DetectedCriticalAdversary-in-the-Middle proxy attack detected
Cloned Site DetectedHighWebsite clone/copy detected
Visual Clone DetectedCriticalLogin page visually resembles a known legitimate login page
Typosquatting DetectedHighDomain lookalike attack detected
Suspicious RedirectMediumUnusual redirect chain detected
Credential ReuseMediumUser reused credentials on a different site
Pwned PasswordHighPassword found in known breach databases
Credential on Untrusted SiteCriticalKnown corporate credentials entered on an untrusted site
Credential Paste DetectedMediumCredentials pasted from clipboard into a form field
New Auth EndpointLowNew authentication endpoint discovered
Access RequestedLowUser requested access to a restricted resource
Unwhitelisted ExtensionMediumUnapproved browser extension installed
Extension Version ChangeLowBrowser extension updated to a new version
High Risk PermissionsMediumExtension with high-risk permissions detected
High Risk ExtensionHighBrowser extension with an elevated risk score
Stale DeviceLow (escalates over time)Device has not checked in for an extended period
Malicious ClipboardHighClipboard threat detected (crypto clipper, pastejacking)
ClickFix/FileFix AttackCriticalClipboard hijack attack instructing users to run commands
HTML SmugglingHighMalicious download or credential harvesting from a local HTML file
GenAI Data LeakageHighSensitive data pasted into a GenAI tool
Screen Capture DetectedHighScreen sharing or capture activity on a protected page
Web Skimmer DetectedCriticalMalicious script harvesting form/payment data
OAuth Device Code FlowHighSuspicious OAuth device code flow (phishing vector)
OAuth Localhost RedirectHighOAuth flow redirecting to localhost (potential token theft)
Azure CLI AbuseCriticalUnauthorized Azure CLI token acquisition
OAuth Consent GrantHighRisky OAuth app requested delegated permissions
Threat Cluster MatchCriticalPage matches a known phishing campaign cluster
Heuristic AnomalyMediumBehavioral anomaly detected on sensitive URLs

Using the Alerts page

The list shows a severity trend chart, a filter bar, and a paginated, sortable table with columns for Severity, Type, Description, Origin, Threat Intel (VirusTotal and URLScan verdict badges when available), Action (blocked/warned/logged), Time, Status, and Resolution. Use the column toggle in the toolbar to hide columns you do not need. Click any row to open the alert detail page.

Screenshot

[SCREENSHOT PLACEHOLDER: Alerts page showing the filter bar, severity trend chart, and the alerts table with severity and status chips]

Filters (all combinable, and reflected in the URL so filtered views can be bookmarked or shared):

  • Timeframe — Last 24 hours, Last 7 days (default), Last 30 days, Last 90 days, All time, or Custom range with a date picker.
  • Severity — critical, high, medium, low.
  • Status — New, Acknowledged, Investigating, Resolved, False Positive.
  • Action — Blocked, Warned, Logged.
  • Alert Type — expands into a chip list of every alert type; select any combination.

Clear all removes the active filters.

The alert detail page

Opening an alert shows everything known about it, headed by the severity chip, alert type, timestamp, and the triage buttons.

Screenshot

[SCREENSHOT PLACEHOLDER: Alert detail page for a phishing alert showing the summary card, Recommended Actions panel, and triage buttons (Assign, Acknowledge, Resolve)]

Evidence sections

What appears depends on the alert type:

  • Summary card — description, Origin, Top Level Site, Referrer, Action Taken, the affected User (linked to their profile) and Device, and current assignee.
  • Recommended Actions — a collapsible playbook for the alert type. Playbooks are managed centrally; see Recommended Actions.
  • AI Analysis — a generated summary of the alert in context, when available.
  • Page Screenshot — captured at the time of the alert, for phishing-type detections.
  • Credential Reuse Analysis / Phishing Detection Analysis / HTML Smuggling Analysis — type-specific breakdowns of what was detected and why.
  • Clipboard Threat Analysis — threat score (0-100), category, detection signals (for example "Encoded Command", "Fake CAPTCHA Context"), extracted URLs, and a preview of the intercepted content.
  • Related Alerts — other alerts for the same domain within a 3-hour window, so a burst can be handled as one incident.
  • Event Timeline — the chronological sequence of events around the detection.
  • Browsing History Context — recent visits to the domain (last 7 days), collected at alert time.

Triage actions

  • Assign / Reassign — hand the alert to an admin, or use Assign to Me to claim it.
  • Acknowledge — mark the alert as seen and owned.
  • Change Severity — override the severity of this individual alert.
  • Resolve — opens the resolution dialog. Choose False Positive, True Positive, or Testing, add optional notes, and — when several related alerts exist — tick Apply to all related alerts to close them together. For phishing-type alerts a second step offers a policy follow-up: Quick Create Policy (block, warn, or alert on the domain), Add to Existing Policy, open the full policy editor via Advanced, or Skip — No policy needed.
  • Reopen — reopens a resolved alert.
  • Generate Unblock Key — for phishing/blocked-site alerts, generates a one-time key (valid 1 hour) a user can enter on the block page to gain temporary access. Useful when a block turns out to be a false positive but you want the policy left in place.
  • Forward to Surface — when portal forwarding is available, sends the alert to the Surface support portal for assistance.

Settings: Alert Severity

Settings > Alert Severity Settings ("Customize the default severity level for each type of security alert") lists every alert type with its Default severity and a Current Severity dropdown. Changing the dropdown creates an override, marked "(customized)"; Reset removes a single override and Reset All to Defaults clears everything. Changes are staged until you press Save Changes.

Overrides apply to new alerts only — existing alerts keep the severity they were created with. Because severity drives dashboard prominence and notification rules, this is the right lever when a type is too noisy (lower it) or business-critical for you (raise it).

Screenshot

[SCREENSHOT PLACEHOLDER: Alert Severity Settings page showing the alert types table with a customized override highlighted and the Save Changes button]

Settings: Alert Notifications

Settings > Alert Notifications ("Configure email and webhook delivery for security alerts") adds delivery channels on top of the dashboard:

  • Email Notifications — sends email for critical and high-severity alerts via your own SMTP server. Configure SMTP Host, SMTP Port, From Address, TLS Mode (STARTTLS, TLS, or None), SMTP Username, the Recipients list, and set the SMTP password separately. The enable toggle activates only after the configuration is saved; Send Test Email verifies the setup.
  • Webhook Notifications — POSTs a JSON payload with alert details to your Webhook URL. An optional Webhook Secret signs payloads with HMAC-SHA256 (signature sent in the X-Surface-Signature header) so your receiver can verify authenticity. Send Test Webhook verifies the endpoint.

The page also links to Push rules and On-call schedules for iOS push notification configuration. For streaming alerts and events into a SIEM rather than a single webhook, use SIEM integration.

Screenshot

[SCREENSHOT PLACEHOLDER: Alert Notifications page showing the Email Notifications card with SMTP fields and the Webhook Notifications card with the secret configured]

Worked example: triaging a credential alert

An email notification arrives for a Credential on Untrusted Site alert (Critical).

  1. Open the alert from the Alerts page. The summary shows the origin domain, the affected user, and that the action taken was warned — the user saw a warning but proceeded.
  2. The Page Screenshot shows a convincing lookalike login page; Phishing Detection Analysis and the Threat Intel badges corroborate it. Related Alerts shows two more users hit the same domain in the last hour.
  3. Click Assign to Me, then Acknowledge.
  4. After confirming with the user and resetting the exposed credential, click Resolve, choose True Positive, tick Apply to all related alerts, and in the policy step use Quick Create Policy to block the domain outright.
  5. The alert closes with the resolution and the created policy recorded on the detail page.

FAQ

Why did an alert come in as Medium when the table above says High? Check Alert Severity Settings — an override may be in place. Individual alerts can also have had their severity changed manually.

Do severity overrides change existing alerts? No, they apply to new alerts only.

I resolved an alert by mistake. Open it and click Reopen.

Why is the email toggle disabled? Email (and webhook) can only be enabled after a working configuration is saved — configure SMTP or the webhook URL first.