Brand Monitor

Watchers and hits

Every field on a watcher and a hit, and how to triage the Detections feed.

Not verified yet

Brand Monitor is two primitives: a watcher (your configuration — what to watch, whom to alert) and a hit (one detection — a certificate whose domain matched, with everything DomainRadar learned about it).

Watcher

FieldDescription
KeywordThe term matched against every CT-logged domain — substring and fuzzy. Min 3 characters, unique per organization.
AllowlistExact domains to ignore — your own domains, partners, known-benign matches.
Notification emailWhere alert emails go; empty = record hits, send nothing.
Minimum notification score0–100 (default 30). Hits below it are recorded but don't email.
AI content checkPer-hit page analysis for impersonation — see the pipeline. Shown as an AI badge in the list.
EnabledThe pause switch. Active matches; Paused keeps config and history but records nothing new.

The Watchers list shows each keyword with its status badges and a compact config summary (min score, notification email, allowlist count). Click a watcher for its detail page: full configuration on the left, its own filterable detections feed on the right, and the Edit / Delete actions.

Hit

FieldDescription
DomainThe matched domain from the certificate.
Keyword / match reasonWhich watcher matched and how — substring or fuzzy.
Score / level0–100 and low/medium/high — how it's computed.
IssuerThe CA that issued the certificate (e.g. Let's Encrypt).
CT logWhich Certificate Transparency log surfaced it.
All domainsEvery domain on the certificate (its SANs) — bulk-phishing campaigns show themselves here.
RegisteredThe domain's registration date, filled in by the automatic enrichment check.
AI verdict (when enabled)Risk level, an impersonation yes/no, the indicators the AI saw, its reasoning, and when the analysis ran.
DetectedWhen the hit was recorded.

Triaging Detections

Brand MonitorDetections is the cross-watcher feed. Narrow it with the search box ("Search domain, keyword, issuer..."), the watcher filter, and the score range filter — score ≥ 70 is the "what actually needs eyes today" view.

Each row expands in place to the full picture: an AI verdict banner ("Brand impersonation likely" on red, "No impersonation detected" on green), the detail grid (score, match, issuer, CT log, registration and detection dates), the AI's indicators and reasoning, and the certificate's other domains. A Detail button opens the hit's own page for sharing a direct link — the same link alert emails point to.

A practical routine:

  1. High-score + impersonation-confirmed hits → act: takedown request to the registrar/host, block the domain in your mail and proxy infrastructure, warn support teams.
  2. Medium scores → skim the AI reasoning and the SAN list; escalate or ignore.
  3. Recurring benign matches → add to the watcher's allowlist so they stop appearing at all.

Behaviour and edge cases

  • Hits are recorded even when no email is sent — below-threshold and paused-watcher periods still show up in Detections… with one exception: a paused watcher records nothing at all while disabled.
  • Duplicate suppression is per certificate (never reprocessed) and per domain+watcher within 24 hours — details.
  • Hits don't expire. They stay until their watcher is deleted — which deletes them with it.
  • Enrichment is automatic and included — the registration date on a hit came from a high-priority full check DomainRadar ran for you.

On this page