Step-by-step workflow guide for investigators
Event Monitoring
Who is this for?
What is on this page?
How to use this page?
New to Monitor?
A note on results
Before you start:
Important to know
- Start early: begin keyword setup as soon as the event date is confirmed.
- Cast a wide net first and refine later. False positives are acceptable early on.
- Monitor in multiple languages relevant to the event location.
Platform limits
- 4 hour-backfill only — when you create a new case, Monitor retrieves posts from the previous four hours only and cannot go further back.
- Max 5 languages per search – never leave language blank
- Filters narrow down your view of already collected messages, they do not affect how much data is pulled in.
- X, Instagram, Facebook, Snapchat have monthly caps
- Cases auto-pause — set to longest available period.
Access
- Open Maltego Monitor from maltego.monitor.com or app.maltego.com
Note that you need a Maltego ID to log in. - Make sure your plan includes access to Maltego Monitor (only Maltego Enterprise customers have Monitor included in their plans).
Resources
This guide assumes basic familiarity with Monitor. Feature names link to the documentation where needed. It helps to have the following pages open before you start:
Video Overview
Watch a real event monitoring case being set up in Monitor for the G7 Summit in Évian, France from scratch — searches, filters, and refinements included. Then follow the step-by-step guide below to build your own, or skip the video and jump straight to the steps.
To enlarge, double-click on the video.
Step-by-Step Guide
1. Early stage: set up your searches
As soon as you know the event is happening, start setting your searches. This allows you to cast a wide net at first and find the right keywords over time by the time of the event to know exactly what you are trying to isolate.
| Search | Example Query | Key Notes |
|---|---|---|
| Event name in multiple languages |
=G7 Summit= OR "G7 2026" OR =G7 Evian= OR #G7 OR #G7evian26 OR #G72026
=Sommet du G7= OR =G7 Évian= OR "Sommet G7" OR #sommetG7
|
|
| Prominent attendees |
G7 AND (Macron AND Carney AND Merz AND Meloni AND Takaichi AND Trump AND Costa AND =von der Leyen=)
|
|
| Location |
Location search: Évian AND G7
|
|
Exclude irrelevant terms that might be polluting your results. For Evian, we want to exclude terms like "water", "bottle", "thirsty" — anything that references Evian the drinking water brand and not the summit.
2. Leading up to the event: refine and analyze
Once your case has been running for a few weeks (or days depending on the event timeline), you will have enough content to start analyzing what is being captured and making informed refinements. By now you should have a clearer picture of who is opposing the event and what language they're using. Start layering in more targeted searches and activate analytical features.
This section explains three refinement techniques: adding building blocks, activating AI-powered insights, and tracking specific accounts for more targeted monitoring.
Add threat language building blocks
A building block is a saved collection of keywords or phrases that you can apply to multiple searches without re-entering them.
A few weeks out, add pre-existing threat related building blocks such as Threats or Bomb Alert to surface violent or threatening language emerging around the event before it explicitly names individuals. You can also create your own building blocks if relevant.
How to use it:
- Open the Library from the left side panel.
- Click on 'Add Building Block'
- Fill in the name, description, and add comma-separated search words. Add exclusion terms if necessary. (ex. we are looking for Cologne the city, but would like to exclude posts about perfume).
To enlarge, double-click on the video.
Activate Key Insights: Physical Attack Topic
- Physical Attack Topic is an AI-generated topic using ML to surface physical violence content. Activate in Advanced settings.
- It catches content that keyword searches would miss.
- ⚠️ Can produce false positives — treat as a signal to investigate, not a confirmed threat.
- Always review the source content before acting on a Physical Attack flag.
How to use it:
To enlarge, double-click on the video.
Track the most active posters
If you see an account that is posting at threatening, aggressive, or obsessive content at unusually high volume or you know groups that might be protesting at the event, add their accounts directly to your case's account monitoring list. If one account becomes particularly aggressive or high-volume, put it out into its own dedicated search.
How to use it:
To add an account:
- Open the account's profile from the Key Insights panel.
- Copy the account handle or URL.
- Open the Library, Account lists tab, and click "Add account list"
- Add the account (URL or username) and click save.
- Navigate back to the case and add the account list to your search.
To enlarge, double-click on the video.
Consider using Echo AI to ask targeted questions about what's being planned — e.g. "What protests are planned around [event name]?" This gives a structured overview of planned organized protests, which can inform new searches to add.
3. Days before/day of the event: narrow down and stay alert
As the event approaches, your priority shifts from broad research to precision monitoring — you want to reduce noise and catch what matters.
Delete or adjust searches
Review the searches you set up at the beginning. If a search is generating noise, remove it and prevent it from diluting your view on event day.
Narrow down with filters
You use the lead-up weeks to understand the landscape, so that on the day of the event you can focus with precision. To do that, add building blocks as filters.
Helpful building blocks to use for event monitoring would be civil unrest, demonstration, threats, and weapons.
Enable image analysis
Enabling image analysis means the system can automatically scan incoming visual content for relevant signals, such as weapons or firearms, so you're not relying solely on text-based filters to surface critical information.
How to use it:
- Enable image analysis in the settings and allow filters to be applied to visual content.
- Add a filter with Weapons and Firearms building blocks.
- Tick the "Image" box below to apply the building block to the images. The system will then run image recognition across incoming posts and flag any that match.
To enlarge, double-click on the video.
Optional steps
Set up alerts
As the event draws closer, you won't always be able to keep the monitor open continuously. Setting up alerts on key filters such as weapons or firearms ensures you receive email notifications whenever message volume surpasses a defined threshold. Alerts can be configured at the level of the entire case, across all filters, or scoped to a specific filter.
Tips for an effective dashboard:
- Configure alerts for specific filters such as images. Avoid configuring alerts to the entire case — due to potential noise, you will be notified more often than needed.
To enlarge, double-click on the video.
Build a shared dashboard
Build a shared dashboard for colleagues who don't have Monitor access like incident response teams and situation rooms.
Tips for an effective dashboard:
- Adjust the layout to suit your audience and revisit as needed. For example, make the messages panel larger for easier reading.
- Narrow the view by sivuals and filters to reduce noise.
- Add a timeline to give colleagues a clear sense of how activity is developing over time.
- Set the time window to the last hour for real-time awareness.
To enlarge, double-click on the video.
Other guides you might find useful:
-
Event Monitoring
-
Discourse Monitoring
-
Threat Actor Monitoring
-
Supply Chain Monitoring
Give us your Feedback!
Copyright © 2026
