ShadowMap Docs

Appearance

Universal Search

Universal Search is the command palette that lets you jump to any page in ShadowMap and look up a specific asset or finding — an IP, hostname, URL, or numeric ID — across multiple modules at once, without first navigating to each module and building a filter by hand.

Overview

Universal Search

The command palette is launched from the top navigation bar of any module — here, the Alerts page.

Open the palette from the Search pages, data... box in the top navigation bar, or with the keyboard shortcut Ctrl + Shift + F from anywhere in the app. It overlays the current page as a centered modal with a single input and three result sections:

  • Recent Searches — the last five pages you navigated to from the palette (shown only when the input is empty).
  • Pages & Features — instant, client-side matches against every navigable page you have permission to see.
  • Data Results — server-side matches for your search term, grouped by module, each with a status and risk breakdown.

The palette is not a module page and has no URL of its own — it is a global overlay available on every screen.

How it works

Universal Search runs two independent searches in parallel from the same input, because they answer two different questions:

  1. "Where is the page I want?" — handled instantly on your device.
  2. "Where does this asset or finding appear in my data?" — handled by the backend.

Page & feature search (instant, client-side)

As you type, ShadowMap filters the list of routes it built from your navigation menu. A page matches if your term appears in its title, its path, its section name, or its internal analytics label. Matching is a simple case-insensitive substring test — there is no fuzzy matching, so "open ports" matches but "oprts" does not. This list is scoped to your permissions: pages you cannot access are never built into the searchable set, so they never appear as results.

Selecting a page result navigates you there immediately and records it in Recent Searches (stored locally in your browser, capped at the five most recent, most-recent first).

Data search (debounced, server-side)

Data Results query your live findings. To avoid firing a request on every keystroke, the palette waits 500 ms after you stop typing before sending one POST /universal-search request with your term. If you keep typing, the previous in-flight request is cancelled so a slow older response can never overwrite fresher results. A spinner next to the Data Results heading indicates a search is in progress.

Input type detection

The backend does not search every field for every term. It first classifies your input into one search type, then searches only the fields and modules that make sense for that type. Detection runs in this priority order:

If the input…Detected typeExample
Is all digitsid48213
Is a valid IPv4/IPv6 addressip203.0.113.7
Starts with http:// or https://, or looks like host/pathurlhttps://app.example.com/login
Contains /, ?, &, =, or a file extensionpath/wp-admin/
Looks like a bare domain (label with a dot and a valid TLD)domainexample.com
Anything elsetitleapache struts

This is why the same box behaves differently depending on what you paste: a number is treated as a finding ID and matched exactly, an IP is matched against IP columns, and free text falls through to a title/keyword search.

Hostname vs. domain matching

For domain/host/url types, host-based modules match the exact host you typed and any subdomain of it (a host LIKE '%.term' plus exact-match pattern). Searching example.com therefore surfaces example.com, app.example.com, and mail.example.com together in modules that store full hostnames.

Which modules are searched

A single data search fans out across up to eight result groups. Each is gated by the same read permission as its module — if you cannot read the module, it is silently skipped and never appears in results. Each module also only participates for the search types that apply to it:

Result groupMatches onActive for search types
Alertsid, IP, host, path, titleid, ip, host/domain, path, url, title
Applications (Web Applications)id, IP, host, path, titleid, ip, host/domain, path, url, title
Phishing URLsid, IP, URL, domainid, ip, url, domain/host, plus a URL-substring fallback
Domain Squattingsid, name (domain)id, url (host extracted), plus a name-substring fallback
Asset Inventory — Domainsexact domain name (online domains only)domain/host/url
Asset Inventory — Subdomainssubdomain (exact or as a parent)domain/host/url
Asset Inventory — IP Addressesexact IPip
Asset Inventory — Internal Hostsexact hostdomain/host/url

Counts, not rows

Data Results return aggregated counts, not the individual records. Each group shows a total item count and a breakdown by status, risk, or metric. To see the underlying records, click into the group (see Acting on results). This keeps the palette fast even when a search matches thousands of findings.

Tenant isolation and safe matching

Every data query is scoped to your company (company_id / customer_id), so Universal Search can never surface another tenant's assets. SQL LIKE wildcards (% and _) in your term are escaped before querying, so a term that happens to contain those characters matches literally instead of matching everything.

Understanding the results

Pages & Features

Each page result shows its icon, title, and the section it belongs to (for example, Open Ports under Attack Surface). Selecting it navigates you there.

Data Results

Each module group shows a header with the module name and a total item count, followed by colored tags describing the breakdown. What the tags mean depends on the module:

Breakdown typeWhere it appearsTags you'll see
RiskAlerts, ApplicationsHigh, Medium, Low, Informational
StatusAlerts, ApplicationsNew, Open, Closed, Reopened, To Be Closed, Accepted Risk, etc.
Live statusPhishing URLs, Domain SquattingOnline / Offline (live)
Response statusPhishing URLs, Domain SquattingActive, Reviewed, Monitoring (Phishing URLs adds Accepted)
MetricAsset Inventory groupsCounts of Applications, Alerts, Subdomains, IPs, SSLs, Internal Hosts
OrganizationAsset Inventory — DomainsPer-organization domain counts

Groups with a total of zero are omitted, so you only ever see modules that actually contain matches.

Acting on results

  • Select a page result (click, or arrow-key to it and press Enter) — navigates to that page in the current tab.
  • Click a Data Results module header — opens that module's list in a new browser tab, pre-filtered to your search term.

The deep link the palette builds depends on the search type and module:

  • A numeric ID opens the single record's detail page directly (for example, an Alert, Application, Phishing URL, or Domain Squatting detail view).
  • For everything else, the palette constructs a module filter from your term and applies it as a query in the destination page's filter bar — for instance, an IP search into Alerts opens Alerts filtered to ip = "<your IP>", and a host search into Web Applications opens the Applications list filtered to that host and its subdomains.
  • Phishing and Domain Squatting links route to the module's All tab so that closed, accepted, or offline items are not hidden by a default review tab.

Because results open in a new tab, the palette stays open and you can click through several modules in sequence without losing your search.

Keyboard shortcuts

ActionKeys
Open Universal SearchCtrl + Shift + F
Move between page results↑ / ↓
Open the highlighted page resultEnter
Clear the inputClick the in the search box
Close the paletteEsc

See Keyboard Shortcuts for the full list of app-wide shortcuts.

Common questions

Why don't I see any Data Results, only Pages & Features? Three common reasons: (1) the term genuinely has no matches in your tenant; (2) your input was classified as a type the matching modules don't support (for example, free-text title does not search the Asset Inventory groups, which require an IP, host, or domain); or (3) you lack read permission on every module that would otherwise match. The palette silently skips modules you can't read.

I pasted a full URL with https:// and a path — what gets matched? The URL is split into a host and a path. Host-based modules (Alerts, Applications, Asset Inventory) match the host and its subdomains; if a meaningful path is present, Alerts and Applications additionally require an exact path match. Phishing URLs match the URL with the scheme stripped, so it works whether the stored record used http:// or https://.

Are Data Results live, or a count of everything ever found? They reflect the current state of your data, scoped to your company, at the moment you search. The numbers shown are counts grouped by status/risk — click into a module to see and work the actual records.

Why does searching a number behave differently from searching a hostname? A purely numeric term is treated as a finding ID and matched exactly against record IDs, so clicking through takes you straight to that record's detail page. A hostname is treated as a domain/host and matched against host columns across multiple modules. The box adapts to what you type.

Does Universal Search find Dark Web, Data Leaks, or Threat Intelligence records? No. Data search currently spans Alerts, Web Applications, Phishing URLs, Domain Squatting, and the four Asset Inventory groups. For other modules, use the Pages & Features results to jump to the module, then use that module's own filters. Note that every module page also has its own in-page search and filter bar.

Can I save a Universal Search? The palette itself doesn't save searches, but when you click through to a module the filtered URL is a normal module view that you can save. See Saved Searches.

ShadowMap - External Attack Surface Management

Copyright (c) Security Brigade