Interfaces - Monids Documentation

Learn how to use Monids to protect your brand from phishing and domain impersonation.

Interfaces and Enrichment

Monids provides threat intelligence enrichment for every domain match, along with notification integrations to deliver alerts where you need them.

Enrichment Data

Every domain that matches your alert criteria is automatically enriched with comprehensive threat intelligence data.

DNS Records

All DNS record types are displayed for matched domains.

A Records (IPv4 Addresses)

  • Primary IP address(es) where domain resolves
  • Identify shared infrastructure
  • Track IP reputation and geolocation
  • Click + icon to filter other domains on same IP

AAAA Records (IPv6 Addresses)

  • IPv6 addresses if configured

NS Records (Nameservers)

  • Authoritative nameservers for the domain
  • Identifies hosting provider or DNS service
  • Common nameservers indicate bulk registrations
  • Click + icon to find domains with same nameservers

MX Records (Mail Servers)

  • Email server configurations with priority
  • Indicates if domain can send email
  • Click + icon to find domains with same mail server

TXT Records

  • SPF records (email sender authorization)
  • DKIM records (email authentication)
  • DMARC policies (email validation)
  • Domain verification records
  • Click + icon to filter by TXT content

CNAME Records

  • Domain aliases and redirects
  • CDN configurations

Interactive DNS Filtering

Each DNS record includes a + icon for instant filtering:

  1. Click + icon next to any DNS value
  2. Value automatically populates advanced filters
  3. Filter applied to show all domains with that value
  4. Discover infrastructure patterns instantly

WHOIS Information

Complete WHOIS data is retrieved and displayed for every matched domain.

Registrar Name

  • Company that registered the domain
  • Filter by registrar to find patterns
  • Useful for bulk abuse reporting

Registration Date

  • When domain was first registered
  • Newly registered domains are higher risk
  • Filter by date range for campaigns

Nameservers

  • Authority servers for the domain
  • Cross-reference with DNS data

Abuse Contact Email

  • Official email for reporting abuse
  • Direct contact for takedown requests
  • Copy-to-clipboard for easy reporting

Abuse Contact Phone

  • Phone number for abuse reports
  • Additional reporting channel

WHOIS Filtering

Use WHOIS data in advanced filters:

  • Registrar Filter: Find all domains from specific registrar
  • Registration Date Range: Track registration campaigns
  • Nameserver Filter: Identify common infrastructure

Example workflow: Alert triggers for 50 similar domains, check WHOIS to find they all use the same registrar, filter by that registrar, bulk report to abuse contact, and track takedown progress.

HTTP/HTTPS Status Checks

Every matched domain is checked for web accessibility with both HTTPS and HTTP protocols.

Status Code Colors

  • Green (200-299): Site is active and responding
  • Blue (300-399): Site redirects to another location
  • Yellow (400-499): Request error or access denied
  • Red (500+): Server-side problems
  • Gray: Connection failed

Why HTTP Status Matters

  • Active sites (200): Immediate threat - site is live
  • Parked sites (404): Lower immediate risk - not yet active
  • Redirects (3xx): Check destination - may redirect to legitimate site or phishing page
  • Errors (4xx/5xx): Site may be misconfigured or taken down

Monitor when inactive domains become active, track phishing campaign rollout timing, detect when sites go offline, and identify testing phases.

Screenshot Capture

Visual captures of domain pages provide instant threat assessment.

Display Format

  • Thumbnail in event list (100x60 pixels)
  • Click thumbnail to view full-size
  • Modal viewer for detailed inspection
  • "No screenshot" indicator if capture failed

Screenshot Quotas

Per Alert Check Limit

  • Maximum 100 screenshots per individual alert execution
  • If alert matches 150 domains, only first 100 get screenshots
  • Prioritizes most recently registered domains

Per User Monthly Limit

  • 1,000 screenshots total per month across all alerts
  • Quota resets monthly on your sign-up anniversary
  • Check remaining quota in Preferences
  • Shared across all alert events

Example:

Alert 1: Matches 75 domains = 75 screenshots
Alert 2: Matches 200 domains = 100 screenshots (max per check)
Alert 3: Matches 50 domains = 50 screenshots
Total monthly: 225 screenshots used of 1,000
Remaining: 775 screenshots

Screenshot Use Cases

Threat Assessment

  • Identify phishing login pages instantly
  • Spot brand logo misuse
  • Recognize page templates from known campaigns
  • Verify legitimate vs. malicious sites

Evidence Collection

  • Document page appearance for reports
  • Capture content before takedown
  • Share visual evidence with law enforcement
  • Prove trademark infringement

Campaign Analysis

  • Identify common page templates
  • Track visual changes over time (watchlist)
  • Spot kit reuse across domains

When Screenshots Fail

Screenshots may not be available if the site requires JavaScript, blocks automated browsers, has SSL certificate errors, or is completely offline.

Fallback data: HTTP status still shows if site responds, DNS records show infrastructure exists, WHOIS provides registration details, and you can use external tools if screenshot is critical.

Notification Integrations

Configure how and where you receive alert notifications. All integrations are managed in Preferences.

Monids supports three notification channels, each delivering both monitored term alerts and watchlist changes in a consolidated daily digest.

Alert Types Overview

Channel Monitored Term Alerts Watchlist Changes Domain Names Included Format
Email Summary counts Count + link No (privacy) HTML + Plain Text
Slack Summary counts Count + link No (privacy) Markdown message
Splunk HEC Individual events Separate events Yes (full details) JSON with sourcetypes

Key Features: - Consolidated Digest: All channels send once daily with both alert types when applicable - Privacy Protection: Email and Slack only include counts and links, not domain names - Granular SIEM Data: Splunk HEC receives detailed events with full domain information - Conditional Watchlist: Watchlist section only included when changes detected - Filtered Navigation: All links navigate to pre-filtered dashboard views for immediate context

Email Notifications

Receive domain alerts and watchlist changes directly in your inbox.

Configuration

  1. Navigate to Preferences
  2. Find Email Notifications section
  3. Enable/disable with toggle
  4. Enter destination email address (optional - defaults to account email)
  5. Click "Send Test Alert" to verify
  6. Save preferences

Email Content

Daily digest emails include two sections when applicable:

1. Monitored Term Alerts - Total alert count and breakdown by monitored term - Summary table showing alerts per keyword - Direct link to filtered alert events in dashboard

Example: 

ALERT SUMMARY
============================================
5 alerts across 2 monitored terms

ALERTS BY TERM
============================================
paypal: 3 alerts
microsoft: 2 alerts

View your complete digest at:
https://monids.com/dashboard/alert-events/#/alert-events?filter={"date":"2025-12-25"}

2. Watchlist Changes (conditional - only included when changes detected) - Count of watched domains with changes - Description emphasizing review importance - Direct link to filtered watchlist view showing only changed domains

Example: 

WATCHLIST CHANGES
============================================
3 watched domains have detected changes

Domains in your watchlist have been updated. Review the changes
to ensure continued monitoring effectiveness.

View watchlist changes at:
https://monids.com/dashboard/watchlist/#/watchlist?filter={"has_changes":"true","date":"2025-12-25"}

Email Features - HTML and Plain Text: Styled HTML version with fallback plain text - Subject Line: Informative count (e.g., "Monids Alert: 5 new domain alerts detected") - Conditional Sections: Watchlist section only appears when watchlist_changes_count > 0 - Direct Navigation: Click links to view pre-filtered results - Privacy Conscious: No domain names in email, only counts and links

Use Cases - Individual analysts who prefer email workflow - Stakeholders who need periodic summaries - Integration with traditional ticketing systems - Teams without Slack or SIEM infrastructure - Compliance documentation and audit trails

Slack Integration

Get instant notifications in Slack channels for real-time collaboration.

Configuration

  1. Create incoming webhook in Slack workspace at Slack API
  2. Create app or select existing
  3. Enable Incoming Webhooks
  4. Add webhook to desired channel
  5. Copy webhook URL
  6. Navigate to Preferences in Monids
  7. Find Slack Integration section
  8. Enable with toggle
  9. Paste webhook URL
  10. Click "Send Test Alert" to verify
  11. Save preferences

Slack Message Format

Daily digest messages use Markdown formatting with visual indicators:

Message Structure: 

*Monids Alert for username*

🔔 *5* new domain alerts detected across *2* monitored terms

*Alerts by Term:*
  • paypal: 3 alerts
  • microsoft: 2 alerts

📊 View complete digest: [Dashboard Link]

⚠️ *Watchlist Changes:* (if applicable)
  • *3* watched domains have detected changes
  • View changes: [Watchlist Link]

Message Features: - Rich Formatting: Bold headers, bullet points, emoji indicators for visual scanning - Clickable Links: Direct navigation to filtered dashboard views - Conditional Sections: Watchlist changes only shown when applicable - Alert Grouping: Summary by monitored term, not individual domains - Privacy Conscious: No domain names included in notification, only counts - Compact Format: Fits in single Slack message for easy reading

Use Cases: - DevOps and security teams with Slack-first workflows - Real-time incident response channels - Collaborative threat analysis discussions - Quick triage and assignment workflow - Integration with Slack workflows and bots - Mobile notifications via Slack app

Advanced Usage: - Create dedicated #phishing-alerts channel for team visibility - Use Slack workflows to automatically create tickets from alerts - Tag team members for specific alert types using Slack integrations - Archive alerts for historical review and metrics - Export channel history for compliance and reporting - Set up custom Slack reactions for alert prioritization

HEC/SIEM Integration

Send domain event data to Splunk or other SIEM systems via HTTP Event Collector (HEC).

Configuration

  1. Set up HEC endpoint in SIEM (Splunk: Settings → Data Inputs → HTTP Event Collector)
  2. Create new HEC token
  3. Note endpoint URL (e.g., https://splunk.company.com:8088/services/collector)
  4. Copy HEC token
  5. Navigate to Preferences in Monids
  6. Find HEC/SIEM Integration section
  7. Enable with toggle
  8. Enter HEC endpoint URL
  9. Enter HEC token
  10. Optional: Skip TLS verification (not recommended for production)
  11. Click "Send Test Event" to verify
  12. Save preferences

Event Data Format

Splunk HEC integration sends two distinct event types for comprehensive monitoring:

1. Monitored Term Alert Events

Each alert event is sent as an individual Splunk event:

{
  "host": "monids.com",
  "source": "monitored_terms",
  "sourcetype": "alert:event",
  "event": {
    "user": "john.doe",
    "domain": "paypa1-secure.com",
    "term": "paypal",
    "match_type": "substring",
    "registration_date": "2025-12-20",
    "timestamp": "2025-12-25 09:00:00"
  }
}

Event Fields: - user: Username of alert recipient - domain: Matched domain name - term: Monitored keyword that triggered alert - match_type: How the match occurred (substring, exact, wildcard) - registration_date: Domain registration date (if available) - timestamp: Alert generation time (UTC)

2. Watchlist Change Events

Each watchlist change is sent as a separate Splunk event with dedicated sourcetype:

{
  "host": "monids.com",
  "source": "watchlist_monitoring",
  "sourcetype": "watchlist:change",
  "event": {
    "user": "john.doe",
    "domain": "suspicious-site.com",
    "change_type": "dns_change",
    "change_details": {
      "record_changes": {
        "A": {
          "removed": ["192.0.2.100"],
          "added": ["198.51.100.50"]
        }
      },
      "summary": "DNS records changed: A"
    },
    "detected_at": "2025-12-24 14:30:00",
    "timestamp": "2025-12-25 09:00:00"
  }
}

Event Fields: - user: Username of watchlist owner - domain: Domain name that changed - change_type: Type of change detected (see below) - change_details: Full JSON object with old/new values - detected_at: When change was detected (UTC) - timestamp: Alert notification time (UTC)

Supported Change Types: - dns_change: DNS records modified (A, AAAA, MX, TXT, etc.) - registrar_change: Registrar transfer or migration - nameserver_change: Nameserver updates - http_status_change: HTTP/HTTPS status modifications - ssl_change: SSL certificate changes (issuer, expiry) - keyword_found: Monitored keyword appeared on page - keyword_removed: Monitored keyword removed from page - new_domain: New domain registration detected

Batch Processing: - Events sent in batches of 50 for efficiency - Separate batches for alert events and watchlist changes - Failed chunks logged with error details - Automatic retry on network errors

Use Cases: - Enterprise security teams with SIEM infrastructure - Centralized logging and correlation across security tools - Advanced analytics and custom dashboards - Long-term historical analysis and trend detection - Compliance and audit requirements - Integration with SOC workflows and SOAR platforms - Full domain details included (unlike email/Slack for privacy)

SIEM Use Cases

Splunk Dashboards

Create real-time alert feed dashboard, visualize registration trends over time, map infrastructure by nameserver/IP, track registrar abuse patterns, monitor watchlist change distribution by type, correlate alert events with watchlist changes, and combine with other security logs.

Alert Correlation

Cross-reference alert events with firewall logs, match with email gateway blocks, correlate with endpoint detections, identify multi-stage attacks, track watchlist changes indicating campaign progression, and join DNS changes with network security events.

Automated Response

Trigger firewall blocks automatically from alert IPs, create SOAR playbook actions for high-severity watchlist changes (registrar, HTTP status), update threat intelligence feeds with watchlist domains, generate tickets in ITSM for specific change types, and alert escalation when multiple changes detected on same domain.

Reporting

Executive summary reports showing alert volume and watchlist change trends, compliance documentation with full audit trail, threat landscape analysis identifying patterns from change types, ROI metrics for brand protection tracking domains monitored and changes detected, and SLA tracking for time-to-detection metrics.

Use enrichment data to perform powerful filtering and discovery.

Basic Filters

Available in toolbar on Alert Events:

Keyword Filter

  • Dropdown of your alert keywords
  • Filter to specific alert

Date Filter

  • Date picker for trigger date
  • Filter by date range
  • Track campaign timing

Advanced Filters

Click "Advanced Filters" to reveal additional options:

DNS Filters

  • A Record: Filter by IPv4 address
  • Nameserver: Filter by NS record
  • MX Record: Filter by mail server
  • TXT Record: Filter by TXT content

WHOIS Filters

  • Registrar: Filter by registrar name
  • Registration Date From: Earliest date
  • Registration Date To: Latest date

Filter Actions

  • Apply Filters: Execute query
  • Clear All: Reset to no filters
  • Badge shows count of active filters

Click the + icon in DNS records to instantly populate filters.

Export Functionality

Export filtered results for external analysis:

  1. Apply desired filters
  2. Click "Export" button in toolbar
  3. Downloads CSV/Excel file
  4. Includes all visible columns and enrichment data

Use export to share with legal team for takedown, import into ticketing system, analyze in Excel or Python, generate custom reports, and archive for compliance.

Search the entire database with Boolean operators at Domain Search.

Boolean Operators

AND Operator

Both terms must appear. Example: google AND login finds google-login.com and login-google-secure.net.

OR Operator

Either term must appear. Example: paypal OR bank finds paypal-secure.com, bank-login.net, and fake-paypal.org.

Search Results

Each result includes domain name with copy-to-clipboard, registrar name, nameservers, abuse contact information, direct link to visit domain, and add to watchlist button.

API Access

For programmatic access to all enrichment data and alert management, use the REST API.

Generating API Token

  1. Navigate to Preferences
  2. Find API Access section
  3. Click "Generate Token"
  4. Copy and securely store token
  5. Use in API requests

See REST API Documentation for complete API reference.

Troubleshooting

Missing DNS Records

If some DNS records aren't showing, the domain may not have those record types, there may be DNS propagation delay, or DNS server timeout. Check if the domain actually has those records using an external lookup, wait a few minutes and refresh. Most common records (A, NS) are almost always present.

WHOIS Data Incomplete

If some WHOIS fields are empty, it may be due to WHOIS privacy protection, the domain extension has limited WHOIS, or WHOIS server timeout. Abuse contacts are usually still available. Use registrar information to contact or check domain extension limitations.

Screenshots Not Capturing

If no screenshot is available, check HTTP status to verify site is up, view quota in preferences, use external screenshot tool if critical. DNS/WHOIS data is still available.

Possible causes: Site requires JavaScript, site blocking automated browsers, quota exceeded, or SSL errors.

Integration Not Sending

If no notifications are received, use the "Send Test" button to verify, check URL and token carefully, verify network allows outbound connections, and ensure toggle is enabled.

Possible causes: Incorrect webhook/endpoint URL, token expired or invalid, network firewall blocking, or integration disabled.

×