Brand Monitor
Watchers and hits
The atomic units of Brand Monitor – what you configure, what you receive.
Not verified yet
Brand Monitor is built on two primitives:
- A watcher – your configuration. What to watch for, who to notify.
- A hit – an event. One match against a watcher, with metadata.
Watcher
What you set up per brand or per protected term.
| Field | Description |
|---|---|
| Word | The keyword to match against. Usually your brand name. |
| Allowlist | Comma-separated list of known-legitimate domains the watcher should ignore (e.g. your own domains and verified partners). |
| Notification email | Where Brand Monitor sends alert emails. |
| Minimum notification score | 0–100. Hits below this threshold are recorded but don't email. Defaults to 30. |
| AI content check | Toggle. When on, Brand Monitor visits flagged domains and runs LLM-based content analysis before alerting. |
| Enabled | A kill-switch. Disabling stops matching without deleting the watcher's history. |
Your organization has one free watcher; additional watchers are billed by the hour. See pricing.
Hit
What Brand Monitor records every time a watcher matches a CT log entry.
| Field | Description |
|---|---|
| Domain | The matched FQDN. |
| Match reason | substring, homoglyph, typosquat, subdomain, lookalike-tld. |
| Score | 0–100. Higher means more likely to be a real threat. |
| Score level | low / medium / high (derived from score). |
| CA issuer | The CA that issued the matched cert (Let's Encrypt, DigiCert, etc.). |
| CT log | Which Certificate Transparency log surfaced the cert. |
| All domains on the cert | Subject Alternative Names from the cert. Useful for detecting bulk-registration patterns. |
| AI verdict (when enabled) | impersonation: yes/no + risk: low/medium/high + indicators + reasoning. |
| Notification sent | Whether an email was sent. Driven by min score and watcher enabled state. |
| Created at | When Brand Monitor recorded the hit. |
Filtering and triage in the dashboard
Open Brand Monitor → Detections in app.norcube.com for the cross-watcher hit feed. Filter by:
- Watcher – narrow to one keyword.
- Score range – e.g. only
score >= 70. - Search – substring against domain.
Click a hit for full detail: all SANs on the cert, AI analysis (if run), and an option to fetch full WHOIS enrichment on the matched domain.
Behaviour and edge cases
- A hit is recorded even if no email is sent (below threshold, watcher disabled). Surfacing them later via the dashboard is useful for retrospective analysis.
- One match per (domain, watcher), regardless of cert renewals. If the same domain is re-issued certs, you won't get multiple notifications.
- Hits don't expire. They're retained for the lifetime of the organization or until you delete the watcher.
- Deleting a watcher also deletes its hits.