Alerts
Alerts are the actionable output of Surface Security. While Events record everything the extension fleet observes, an alert is raised only when something needs a human decision: a suspected phishing page, a reused or breached password, a risky browser extension, a clipboard hijack attempt. Every alert carries a severity, a status, and the evidence needed to triage it.
The Alerts page (Dashboard > Alerts) is the working queue; each row opens a detail page with full evidence and triage actions. Two settings pages control how alerts behave: Alert Severity Settings (per-type severity overrides) and Alert Notifications (email and webhook delivery).
How it works
Detections from the browser extension and server-side analysis are turned into alerts with a default severity per alert type (see the table below). Depending on the matching policy, the triggering action may have been Blocked, Warned, or just Logged — the alert records which. Alerts then move through a simple triage lifecycle:
| Status | Meaning |
|---|---|
| New | Nobody has looked at it yet |
| Acknowledged | An admin has seen it and taken ownership of follow-up |
| Investigating | Actively being worked (grouped with acknowledged in filters) |
| Resolved | Closed with a resolution type of True Positive or Testing |
| False Positive | Closed as a false positive |
Severity communicates urgency: Critical requires immediate action, High needs urgent attention, Medium should be reviewed soon, and Low is for awareness and tracking.
Alert types
These are the alert types Surface Security can raise, with their default severities. Defaults can be changed per type in Alert Severity Settings.
| Alert type | Default severity | What it means |
|---|---|---|
| Phishing Suspected | High | Potential phishing site detected |
| Phishing Reported by User | High | A user manually reported a site as phishing |
| AiTM Attack Detected | Critical | Adversary-in-the-Middle proxy attack detected |
| Cloned Site Detected | High | Website clone/copy detected |
| Visual Clone Detected | Critical | Login page visually resembles a known legitimate login page |
| Typosquatting Detected | High | Domain lookalike attack detected |
| Suspicious Redirect | Medium | Unusual redirect chain detected |
| Credential Reuse | Medium | User reused credentials on a different site |
| Pwned Password | High | Password found in known breach databases |
| Credential on Untrusted Site | Critical | Known corporate credentials entered on an untrusted site |
| Credential Paste Detected | Medium | Credentials pasted from clipboard into a form field |
| New Auth Endpoint | Low | New authentication endpoint discovered |
| Access Requested | Low | User requested access to a restricted resource |
| Unwhitelisted Extension | Medium | Unapproved browser extension installed |
| Extension Version Change | Low | Browser extension updated to a new version |
| High Risk Permissions | Medium | Extension with high-risk permissions detected |
| High Risk Extension | High | Browser extension with an elevated risk score |
| Stale Device | Low (escalates over time) | Device has not checked in for an extended period |
| Malicious Clipboard | High | Clipboard threat detected (crypto clipper, pastejacking) |
| ClickFix/FileFix Attack | Critical | Clipboard hijack attack instructing users to run commands |
| HTML Smuggling | High | Malicious download or credential harvesting from a local HTML file |
| GenAI Data Leakage | High | Sensitive data pasted into a GenAI tool |
| Screen Capture Detected | High | Screen sharing or capture activity on a protected page |
| Web Skimmer Detected | Critical | Malicious script harvesting form/payment data |
| OAuth Device Code Flow | High | Suspicious OAuth device code flow (phishing vector) |
| OAuth Localhost Redirect | High | OAuth flow redirecting to localhost (potential token theft) |
| Azure CLI Abuse | Critical | Unauthorized Azure CLI token acquisition |
| OAuth Consent Grant | High | Risky OAuth app requested delegated permissions |
| Threat Cluster Match | Critical | Page matches a known phishing campaign cluster |
| Heuristic Anomaly | Medium | Behavioral anomaly detected on sensitive URLs |
Using the Alerts page
The list shows a severity trend chart, a filter bar, and a paginated, sortable table with columns for Severity, Type, Description, Origin, Threat Intel (VirusTotal and URLScan verdict badges when available), Action (blocked/warned/logged), Time, Status, and Resolution. Use the column toggle in the toolbar to hide columns you do not need. Click any row to open the alert detail page.
[SCREENSHOT PLACEHOLDER: Alerts page showing the filter bar, severity trend chart, and the alerts table with severity and status chips]
Filters (all combinable, and reflected in the URL so filtered views can be bookmarked or shared):
- Timeframe — Last 24 hours, Last 7 days (default), Last 30 days, Last 90 days, All time, or Custom range with a date picker.
- Severity — critical, high, medium, low.
- Status — New, Acknowledged, Investigating, Resolved, False Positive.
- Action — Blocked, Warned, Logged.
- Alert Type — expands into a chip list of every alert type; select any combination.
Clear all removes the active filters.
The alert detail page
Opening an alert shows everything known about it, headed by the severity chip, alert type, timestamp, and the triage buttons.
[SCREENSHOT PLACEHOLDER: Alert detail page for a phishing alert showing the summary card, Recommended Actions panel, and triage buttons (Assign, Acknowledge, Resolve)]
Evidence sections
What appears depends on the alert type:
- Summary card — description, Origin, Top Level Site, Referrer, Action Taken, the affected User (linked to their profile) and Device, and current assignee.
- Recommended Actions — a collapsible playbook for the alert type. Playbooks are managed centrally; see Recommended Actions.
- AI Analysis — a generated summary of the alert in context, when available.
- Page Screenshot — captured at the time of the alert, for phishing-type detections.
- Credential Reuse Analysis / Phishing Detection Analysis / HTML Smuggling Analysis — type-specific breakdowns of what was detected and why.
- Clipboard Threat Analysis — threat score (0-100), category, detection signals (for example "Encoded Command", "Fake CAPTCHA Context"), extracted URLs, and a preview of the intercepted content.
- Related Alerts — other alerts for the same domain within a 3-hour window, so a burst can be handled as one incident.
- Event Timeline — the chronological sequence of events around the detection.
- Browsing History Context — recent visits to the domain (last 7 days), collected at alert time.
Triage actions
- Assign / Reassign — hand the alert to an admin, or use Assign to Me to claim it.
- Acknowledge — mark the alert as seen and owned.
- Change Severity — override the severity of this individual alert.
- Resolve — opens the resolution dialog. Choose False Positive, True Positive, or Testing, add optional notes, and — when several related alerts exist — tick Apply to all related alerts to close them together. For phishing-type alerts a second step offers a policy follow-up: Quick Create Policy (block, warn, or alert on the domain), Add to Existing Policy, open the full policy editor via Advanced, or Skip — No policy needed.
- Reopen — reopens a resolved alert.
- Generate Unblock Key — for phishing/blocked-site alerts, generates a one-time key (valid 1 hour) a user can enter on the block page to gain temporary access. Useful when a block turns out to be a false positive but you want the policy left in place.
- Forward to Surface — when portal forwarding is available, sends the alert to the Surface support portal for assistance.
Settings: Alert Severity
Settings > Alert Severity Settings ("Customize the default severity level for each type of security alert") lists every alert type with its Default severity and a Current Severity dropdown. Changing the dropdown creates an override, marked "(customized)"; Reset removes a single override and Reset All to Defaults clears everything. Changes are staged until you press Save Changes.
Overrides apply to new alerts only — existing alerts keep the severity they were created with. Because severity drives dashboard prominence and notification rules, this is the right lever when a type is too noisy (lower it) or business-critical for you (raise it).
[SCREENSHOT PLACEHOLDER: Alert Severity Settings page showing the alert types table with a customized override highlighted and the Save Changes button]
Settings: Alert Notifications
Settings > Alert Notifications ("Configure email and webhook delivery for security alerts") adds delivery channels on top of the dashboard:
- Email Notifications — sends email for critical and high-severity alerts via your own SMTP server. Configure SMTP Host, SMTP Port, From Address, TLS Mode (STARTTLS, TLS, or None), SMTP Username, the Recipients list, and set the SMTP password separately. The enable toggle activates only after the configuration is saved; Send Test Email verifies the setup.
- Webhook Notifications — POSTs a JSON payload with alert details to your Webhook URL. An optional Webhook Secret signs payloads with HMAC-SHA256 (signature sent in the
X-Surface-Signatureheader) so your receiver can verify authenticity. Send Test Webhook verifies the endpoint.
The page also links to Push rules and On-call schedules for iOS push notification configuration. For streaming alerts and events into a SIEM rather than a single webhook, use SIEM integration.
[SCREENSHOT PLACEHOLDER: Alert Notifications page showing the Email Notifications card with SMTP fields and the Webhook Notifications card with the secret configured]
Worked example: triaging a credential alert
An email notification arrives for a Credential on Untrusted Site alert (Critical).
- Open the alert from the Alerts page. The summary shows the origin domain, the affected user, and that the action taken was warned — the user saw a warning but proceeded.
- The Page Screenshot shows a convincing lookalike login page; Phishing Detection Analysis and the Threat Intel badges corroborate it. Related Alerts shows two more users hit the same domain in the last hour.
- Click Assign to Me, then Acknowledge.
- After confirming with the user and resetting the exposed credential, click Resolve, choose True Positive, tick Apply to all related alerts, and in the policy step use Quick Create Policy to block the domain outright.
- The alert closes with the resolution and the created policy recorded on the detail page.
FAQ
Why did an alert come in as Medium when the table above says High? Check Alert Severity Settings — an override may be in place. Individual alerts can also have had their severity changed manually.
Do severity overrides change existing alerts? No, they apply to new alerts only.
I resolved an alert by mistake. Open it and click Reopen.
Why is the email toggle disabled? Email (and webhook) can only be enabled after a working configuration is saved — configure SMTP or the webhook URL first.