Getting Started - Monids Documentation

Learn how to use Monids to protect your brand from phishing and domain impersonation.

Getting Started

Monids helps you discover newly registered domains that may be used for phishing or brand impersonation. The platform monitors domain registrations across 1,570+ TLDs and provides enrichment data to help security teams identify and respond to threats.

Searching Domains

Use the Domain Search function to explore the domain database.

Enter a keyword (minimum 3 characters) and use Boolean operators for advanced searches:

  • google AND login - Find domains with both terms
  • paypal OR bank - Find domains with either term

View enriched results with DNS, WHOIS, and registrar information. Copy domains or visit them directly from search results.

Search results include domain name with copy-to-clipboard, registrar name, nameservers, abuse contact information, and direct link to visit domain.

Creating Your First Alert

Navigate to User Alerts to set up monitoring.

Basic Configuration

URL Keyword (required, min 3 characters)

Enter the primary keyword to monitor. System validates in real-time and shows estimated match count. Example: paypal, microsoft, yourcompany

Match Type (required)

  • Full Match: Exact keyword match in domain name
  • Fuzzy Match: Includes character variations and typosquatting. Detects paypa1 (l to 1), micros0ft (o to 0), g00gle (o to 0). Important: Fuzzy match excludes exact matches - create separate Full Match alert if needed.

Advanced Options

Additional URL Keywords (optional)

Space-separated keywords that must ALL appear in the URL. Example: Keyword pig + Additional pen matches pigpen.com. Useful for reducing false positives.

On-Page Keyword (optional)

Keyword that must be found in the page content. All conditions (URL + on-page) must be met for alert to trigger. Example: Monitor bank domains that also mention login on page.

Live Preview

As you configure your alert, the preview panel shows an example domain with your keywords highlighted, trigger conditions explained, and character substitution examples for fuzzy matches.

Creating the Alert

  1. Review the preview and estimated match count
  2. Click "Create Alert"
  3. Alert appears in your list with clickable keyword, match type indicator, additional/on-page keyword displays, and quick access to events

Dashboard

Your Dashboard provides:

Statistics

  • Total Alerts: Count of all your alerts
  • Active Alerts: Currently monitoring alerts
  • Recent Events: Triggered alerts count

Quick Actions

  • View your 5 most recent alerts
  • Navigate to Manage Alerts
  • Access Domain Search
  • Review alert events

Alert Events

When a domain matches your alert criteria, an Alert Event is created.

Core Information

  • Domain name (clickable for full WHOIS)
  • Trigger date and time
  • Matched keyword
  • Match type
  • Notification status

Enrichment Data

HTTP Status: Color-coded status checks. Green (200-299) Success, Blue (300-399) Redirect, Yellow (400-499) Client error, Red (500+) Server error.

Screenshot: Visual capture of the domain (100x60 thumbnail, expandable).

DNS Records: A, AAAA, NS, MX, TXT, CNAME records.

WHOIS Information: Registrar, registration date, nameservers, abuse contacts.

Filtering Events

Basic Filters

  • Filter by keyword
  • Filter by trigger date

Advanced Filters

  • A Record (IPv4 address)
  • Nameserver
  • MX Record (mail server)
  • TXT Record
  • Registrar name
  • Registration date range

Click the + icon next to any DNS record to instantly filter by that value.

Watchlist

Add suspicious domains to your Watchlist for ongoing monitoring.

Adding Domains

  • Click "Add to Watchlist" from any alert event
  • Provide a reason for monitoring
  • System takes daily snapshots to track changes

What's Monitored

  • HTTP/HTTPS status codes
  • DNS record changes
  • Registrar changes
  • Nameserver updates
  • SSL certificate changes

Viewing Watchlist

Each entry shows domain name, HTTP status (color-coded), registrar, date added, your monitoring reason, and quick removal option.

Screenshot Feature

Screenshots help you quickly assess domain threats.

Quotas and Limits

100 screenshots per alert check

If alert matches 150 domains, only first 100 get screenshots.

1000 screenshots per month total

Check remaining quota in Preferences. Counter resets monthly.

Viewing Screenshots

Thumbnail in event list (100x60px). Click to view full-size in modal. "No screenshot" shown if capture failed.

Notification Preferences

Configure how you receive alerts in Preferences.

Email Notifications

  • Enable/disable toggle
  • Set destination email
  • Send test alert to verify

Slack Integration

  • Enable/disable toggle
  • Enter Slack webhook URL
  • Receive formatted alerts in Slack channel

HEC/SIEM Integration

  • Enable/disable toggle
  • Configure HEC endpoint URL
  • Provide HEC token
  • Optional TLS verification skip

API Access

  • Generate API token for programmatic access
  • Use for custom integrations
  • See REST API documentation for details

Domain Extensions Coverage

Monids monitors 1,570+ domain extensions (TLDs) including generic TLDs (.com, .org, .net, .info, .biz), country codes (.uk, .de, .fr, .ca, .au), new gTLDs (.cloud, .tech, .io, .app, .dev), and government/education (.gov, .edu, .mil).

When new domain extensions are introduced, they are typically added within a few days.

Next Steps

×