Search
Surface Security has two search experiences, built for two different jobs. The navigation search bar in the top bar is a quick page finder: type a few letters and jump straight to any dashboard or settings page. The Search page (/dashboard/search) is the data search: one query box that looks across users, devices, browser extensions, endpoints, alerts, and detected technologies in your tenant at the same time.
Use the navigation bar when you know where you want to go; use the Search page when you know what you are looking for.
The navigation search bar
The search box in the top bar (placeholder: Search pages...) finds pages, not data. It matches page names and common synonyms — typing "scim" finds Directory Sync, "splunk" finds Log Forwarding & SIEM, "otp" finds Verification — so you never have to remember which section a setting lives under.
Results appear as you type, grouped into Pages and Settings. Keyboard controls:
| Key | Action |
|---|---|
| Arrow Down / Arrow Up | Move through results (wraps around) |
| Enter | Open the highlighted page |
| Escape | Clear the query and close the results |
The list includes an Advanced Search entry — selecting it opens the full Search page described below.
[SCREENSHOT PLACEHOLDER: The top bar navigation search with a partial query typed, showing the results dropdown grouped under "Pages" and "Settings" headings with one entry highlighted]
The Search page
Open the Search page from the navigation search bar (Advanced Search) or directly at /dashboard/search. Type at least 2 characters into the search box (placeholder: Search for users, extensions, devices, domains...) and results update as you type — there is no search button to press.
[SCREENSHOT PLACEHOLDER: The Search page with a query entered, showing the Export CSV and Search Help buttons, the filter row, and result sections for Extensions, Users, and Alerts]
What is searchable
Results are grouped into sections, and each section shows the top matches (up to 10 per category). Most results link directly to the matching record:
| Section | What is matched | Where a result takes you |
|---|---|---|
| Extensions | Browser extensions installed across your fleet — name and extension ID, with install and user counts and Whitelisted/Unknown status | The extension's detail page |
| Devices | Enrolled browsers — the owning user, browser and OS type, extension version, last-seen time, and status | The device's detail page |
| Users | Monitored employees — name, email, department | The user's detail page |
| Endpoints | Sites your users interact with — both authentication endpoints (tagged with the identity provider type, login and user counts) and general attack-surface sites (tagged Surface, with visit and user counts) | The endpoint's detail page in Credentials or Attack Surface |
| Alerts | Security alerts — type, description, origin, time, and severity badge | The alert's detail page (see Alerts) |
| Technologies | Technologies fingerprinted on endpoints (frameworks, servers) with a version guess, endpoint count, and detection confidence | Shown inline (no detail page) |
Query syntax
By default a query searches every category. To scope a search to a single category, start the query with a prefix — click Search Help on the page for the built-in reference:
| Prefix | Example | Searches |
|---|---|---|
ext: | ext:uBlock | Extensions only |
user: | user:john@ | Users only |
device: | device:Chrome | Devices only |
endpoint: | endpoint:example.com | Endpoints only |
tech: | tech:React | Technologies only |
alert: | alert:phishing | Alerts only |
The search term after the prefix must still be at least 2 characters. Matching is partial — user:john@ finds every user whose name or email contains "john@".
Filters
Below the search box, a row of filter dropdowns narrows results without changing the query: Extensions, Users, Devices, Alert Types, Severity (Critical, High, Medium, Low), Technologies, and Groups. Each dropdown is itself searchable, so you can find the right filter value quickly. Filtering by a group narrows results to that group's members. Clear all removes every active filter at once.
Filters are applied server-side, and both the query and the active filters are reflected in the page URL — copy the address bar to share an exact search with a colleague or bookmark a recurring investigation.
[SCREENSHOT PLACEHOLDER: The filter row with the Severity dropdown open showing Critical/High/Medium/Low options, and two other filters active with the "Clear all" link visible]
Exporting results
Export CSV downloads the current results — query and filters included — as a dated CSV file (for example search-export-2026-07-08.csv). The button is disabled until a search has produced results. Use exports to hand findings to another team or attach evidence to a ticket.
Worked example: scoping a risky extension
Suppose a security bulletin names a browser extension as malicious.
- Open the Search page and type
ext:followed by the extension's name. The Extensions section shows the match with its install count, user count, and whether it is whitelisted. - Click the result to open its detail page and review which users and devices have it installed.
- Back on Search, clear the prefix and search a broader term, then use the Users or Groups filter to check whether affected users cluster in one department.
- Click Export CSV to capture the result set for the incident record.
Total time: a couple of minutes, without visiting the Extensions, Users, and Devices pages separately.
Search backend
Depending on how your deployment is sized, search runs on either the built-in PostgreSQL engine or a dedicated OpenSearch cluster — see Environment Variables for sizing guidance; the Search page behaves identically on both.
Troubleshooting and FAQ
Nothing happens when I type.
Searches need at least 2 characters. With a prefix, the term after the prefix must also be at least 2 characters — ext:u will not run, ext:uB will.
I know a record exists but it is not in the results. Each category shows the top 10 matches. If the record is being crowded out, make the query more specific, scope it with a prefix, or apply filters — filtered searches consider a much larger candidate set before returning the top matches. For a complete list, use Export CSV.
"No results found ... with the selected filters." Your query matched records, but the active filters excluded all of them. Click Clear all in the filter row and re-check.
Export CSV is greyed out. The button enables only when the current search has results on screen. Run a search first.
Why doesn't the top-bar search find my users or alerts? The navigation search bar only finds pages. For data — users, devices, alerts, endpoints — use the Search page (select Advanced Search from its results).