Step-by-step workflow guide for investigators

Brand Reputation Monitoring

This guide walks you through setting up a Brand Reputation Monitoring case from scratch, and then refining it so that the content flowing in is focused, actionable, and as noise-free as possible. By the end, you will have a live case that works for you in the background, surfacing what matters and filtering out what does not.

Before you start:

First Steps

  • Gather the brand's full footprint: subsidiaries, regional brand names, product lines, services, and associated prominent individuals. 
  • Expect high data volumes for prominent companies. Cast a wide net first and refine later.
  • Decide upfront on the focus of your monitor — all conversation or only threat-relevant content. 
  • Create a new case skipping the Case Wizard.

To enlarge, double-click on the video.

Platform Limits

  • 4 hour-backfill only — when you create a new case, Monitor retrieves posts from the previous four hours only and cannot go further back. 
  • Max 5 languages per search – never leave language blank
  • Filters narrow your view of already collected messages — they do not affect how much data is pulled in.
  • X, Instagram, Facebook, Snapchat have monthly caps
  • Cases auto-pause — set to longest available period 

Access

  • Open Maltego Monitor from maltego.monitor.com or app.maltego.com
    Note that you need a Maltego ID to log in.
  • Make sure your plan includes access to Maltego Monitor (only Maltego Enterprise customers have Monitor included in their plans).

Resources

This guide assumes basic familiarity with Monitor. Feature names link to the documentation where needed. It helps to have the following pages open before you start: 


Video Overview

Watch a real brand reputation monitoring case being set up in Monitor from scratch — searches, filters, and refinements included. Then follow the step-by-step guide below to build your own, or skip the video and jump straight to the steps.

To enlarge, double-click on the video.

Step-by-Step Guide

1. Set up your searches



Search Example Query Key Notes
Company / Brand Name
Microsoft AND (Reputation - Negative sentiment building block OR Reputation - Social media terms)
  • Use == search operator to return an exact match of words in a specific order if your company name contains multiple words. It does not matter whether you get results referencing Bill Gates or Gates Bill, but with company names, you would want to have an exact match (e.g. =Best Buy=). This allows to catch threats that never name the executive directly — e.g. "the boss at Best Buy".
  • If the company name is a common word, add a qualifier (e.g. =Apple Inc= not just Apple).
  • Use AND to combine company name with role-reference terms to reduce noise (e.g. =Apple Inc= AND boss).
  • Uses the Executive Protection and Threats pre-built building blocks.
  • Wrap both building blocks in parentheses with OR, then AND the company name.
Company Products and Services
Microsoft AND Windows OR =Microsoft 365= OR "Teams Messenger" OR Xbox OR "Microsoft Surface"
Microsoft AND (Edge OR Azure) OR Bing OR Linkedin OR OneDrive OR Outlook OR GitHub
  • Combine product names with the company name to avoid false positives (e.g. "Windows" alone returns noise)
  • Always quote multi-word names — without quotes, Monitor returns any post with "Teams" anywhere and "Messenger" anywhere, producing noise.
Executive Name(s)
("Satya Nadella" OR =Brad Smith=) AND Microsoft
  • Always quote multi-word names to avoid noise.
  • Add the compound hashtag variant (#SatyaNadella) — Instagram and Facebook content only appears if hashtagged.
  • Include incoming or predecessor names if a leadership transition is underway.
  • Set at least one language — leaving the field blank returns all languages.
Prominent Legacy Figures
"Bill Gates" AND (Reputation - General Negative sentiment building block OR Threats building block)
  • For figures famous independently of the company, add threat and negative sentiment building blocks directly to the name search rather than relying on the company name as a qualifier

Please note that customizable building blocks are available only to Full Feature Monitor customers.

2. Refine and Analyze 

Once your case has been running for 24-48 hours, you will have enough content to start analyzing what is being captured and making informed refinements.The goal of a properly set up monitor is to be manageable for you to read through the content 
 This section explains three refinement techniques: using word-count insights to exclude noise, identifying high-volume accounts for closer tracking, and using additional building blocks to sharpen your filters. 

Essential steps

Evaluate the collected data
and refine the search

Each search displays a number next to it. Use it to gauge relevance of collected posts.

High numbers indicate noise. Add qualifiers or building blocks to narrow results. For example, a search returning 24k results can be refined by wrapping it in brackets and appending AND [building block]. This ensures only posts linking a product to a reputation threat keyword are collected. For Microsoft, we can add "Microsoft AND Reputation: Crisis building block."

Low numbers may mean the search is too narrow. For example, executive names alone, especially the less known ones, may rarely appear in posts. Try adding context like "boss AND Microsoft" or "CEO AND Microsoft" to expand coverage.

Exclude or add
high-frequency terms

Within the dropdown list with additional analysis tools, you will find a word-count view — a ranked list of the terms that appear most frequently across all the content in your case.

When a high-frequency term is irrelevant to your search and contributes to noise, you can exclude it On the other hand, if a high-frequency term (e.g. AI, Copilot) warrant their own dedicated search string, add them.










Calibrate with filters

Keep the main searches broad and add negative sentiment / crisis / reputation building block filters as a toggle layer rather than baking them into the search. This preserves the full content stream while letting you switch to a threat-relevant view.

The gap between filtered and unfiltered results is itself a signal: a wide gap means most conversation is neutral; a narrow gap means a high proportion is already threat-relevant.

Consider adding the following Reputation building blocks:

  • Reputation - General Negative sentiment 
  • Reputation - Crisis Management
  • Reputation - Negative influence and people
  • Reputation - Social media terms


Other guides you might find useful:

  • Event Monitoring
  • Discourse Monitoring
  • Threat Actor Monitoring
  • Supply Chain Monitoring

Give us your Feedback!