Search bots are intelligent search systems designed to scan the web and find exactly what you want, through the most customizable queries and options available.
Creating a bot
🚨Important! Search bots and keyword libraries are currently available for managers only.
First, on the Search bots page, click on Add bot:
Then, choose a source for your bot to scan. Some sources have recommended templates. However, you can always create a bot from scratch if you prefer.
Add bot from a template
Using templates gives you more speed and efficiency, but you can edit all options (more details below)
Create bot from scratch
This is also a high-speed, easy-to-configure way to set up a bot, with more controls. During the creation, you will be guided through these steps:
Which source this bot will scan? Here, you select where bots should monitor.
For which asset this bot will work? Where you select the asset for events to be created as tickets on the platform. Notice that this doesn’t mean the asset’s name or information will be detected because you control what should be searched for in the next field.
What to search for? Where all the technology happens. You can select your assets libraries (groups of information such as Brand name and variations, Website domains, and other assets information), keyword libraries (created/edited on their own page - learn more about libraries here), or even input anything you want in plain text. Yes, any text.
Some sources also have advanced settings in this step:
On search, determine: here you can determine details and small configurations to be applied at the moment of the search in the source you selected
Before creating a ticket, filter by: using these conditions to specify even more what is to be detected after the search results (called signals). Only signals that pass the filter rules you set become tickets on your workspaces. Strongly recommend the use to prevent comprehensive collections from generating numerous false positives.
Searches generated: where you see all possible combinations for your search query. This is not editable, but more search rules will be generated if you add more libraries or keywords. If you remove them, fewer search rules will be generated. In addition, in this step, you will know how often the searches will run.
Bot title: where you create a name that helps you identify where detections come from. You have total freedom to create the name that best suits your organization, or you can leave this blank.
This is the final view of your bot. When you are ready, click on Save bot:
Understanding the bots' list
Filters
On the Search bots homepage, you can navigate and look for specific bots using filters (for Asset, Keyword library, Source, Status, and Ticket type) and the Search bar:
Bots' statistics
To help you make decisions about bots and even identify which ones need to be adjusted, the platform presents some statistics of them:
Searches: the number of searches generated by the bot.
Detections: the number of detections the bot has brought in over the last six months.
Conversion: the percentage of the bot's detections that have been marked as Incident, Internal treatment or Takedown in the last six months. The value can be null (-) when the bot has had no detections or when the detected tickets have not been moved (i.e., they are still open).
🔊 If you're not sure how to make decisions based on these figures, please refer to the FAQ “How do you make decisions based on bot statistics?”.
Bots' status and errors
Hit a bot’s toggle to activate or deactivate it.
Enabled bots will be toggled green in this list.
Disabled bots will be toggled gray in this list.
Bots with errors will receive a yellow tag explaining the error. These bots will not generate searches until they have been corrected. The errors can be the following:
Asset disabled
Monitoring missing
Empty library
Search limit exceeded
Editing a bot
You can edit a bot anytime, and you will be able to edit all the options you were presented with when creating them. Click on the pencil button to edit the bot:
FAQ
And if a bot generates many tickets?
This could be possible given the level of independence you have in search bots. We strongly recommend that you check the number of searches generated and use filters to restrict searches when creating a bot, considering both the number of keywords and libraries you have defined.
Remember that with great power comes great responsibility.
Don't forget that you can also take actions on larger quantities of tickets with Automations.
What is the frequency of collections for a bot?
The sources are searched at different frequencies and at different times, depending on the risk associated with the threats obtained by the bot. This information appears on the bot's creation/editing screen, just above the table of generated searches.
Is it possible to identify which bot detected a ticket?
You can easily identify which bot detected a ticket. In the ticket details, the name of the bot responsible for the detection will be displayed. By clicking on the bot's name, a new tab will open with more information about it.
This improvement facilitates ticket triage, allowing you to quickly identify which bot generated the detection. This is especially useful for adjusting the bots' settings or disabling them if they are generating false positives.
Can I add new words to libraries that are already used in bots? Will it be updated? And can I remove words?
Yes! Our system allows for the automatic updating of bots associated with keyword libraries when adding, editing, or removing keywords from those libraries.
Will there be bots for all sources?
No. Not all sources allow the creation of bots. For example, when searching for a domain in Credential Leak, it doesn't make sense to create specialized searches since the domain itself is the root we will be collecting. Additionally, some sources (like lists) do not allow the application of Search bot technology. Stay tuned for new releases.
Are bots switched on automatically?
Axur activates some bots automatically based on the information provided in the Assets and Keyword libraries. However, not all sources have search patterns with automatic activation. Furthermore, even for sources that have automatically activated bots, we recommend that you review them.
If you want to activate a source that doesn't have automatic bots, you can activate it manually via the Search bots screen.
In the table below, you can see which sources have automatic bot activation:
Source | Any automatic bots? | For which product? |
Amazon | ❌ | - |
App Store | ❌ | - |
APWG (Anti-Phishing Work Group) | ❌ | - |
Bitbucket | ❌ | - |
Doceru | ✅ | Other sensitive data |
✅ | Fake social media profile | |
Facebook Marketplace | ✅ | Counterfeit or irregular sale |
Forums, Darknets, and Markets | ✅ | Deep & Dark Web |
GitHub | ❌ | - |
Google Play | ✅ | Fake Mobile App |
Google Shopping | ❌ | - |
✅ | Fake social media profile | |
Grayhat Warfare | ✅ | Other sensitive data |
❌ | - | |
Linktree | ✅ | Fake social media profile |
Mercado Libre | ✅ | Counterfeit or irregular sale |
Meta Ads Library | ❌ | - |
OLX | ✅ | Counterfeit or irregular sale |
Paid search | ✅ | Paid search |
Pastebin | ❌ | Other sensitive data |
Postman | ✅ | Other sensitive data |
Ransomware feed | ✅ | Deep & Dark Web |
Scribd | ❌ | - |
SERP - Search Engine Results Page | ✅ | Counterfeit or irregular sale Fake mobile app Fake social media profile Fraudulent brand use Other sensitive data Phishing |
Shopee | ❌ | - |
SwaggerHub | ❌ | Other sensitive data |
TikTok | ✅ | Fake social media profile |
URLScan | ✅ | Phishing |
X - Twitter (profiles) | ❌ | - |
YouTube | ❌ | - |
Zoom | ❌ | - |
How do I make decisions based on bot statistics?
Bot statistics should be carefully analyzed, considering:
Purpose of the bot
Type of ticket
A bot that does not bring detections every month should not necessarily be deactivated. Consider the case of a bot that looks for ransomware attacks. We hope that such a bot never brings detections, but it is important to keep it enabled, as the risk of deactivating it and becoming vulnerable to ransomware attacks is huge.
However, there are other types of tickets that may not be bringing detections because they do not fit your asset. In these cases, it may make sense to deactivate the respective bot. For example:
If your asset does not sell products, it makes no sense to have bots for irregular sales or counterfeiting enabled.
They will not be effective for your needs.
It is worth remembering that it is very difficult to have a 100% assertive bot. However, we always suggest that you review the bots that bring many detections and, in contrast, low conversion. Bots in this scenario are responsible for detecting irrelevant tickets and generating triage effort for your team.
Last but not least: if you're afraid of making the bot too restrictive and missing out on relevant detections, we recommend using Automations to help with triage and discard irrelevant detections.
If you have any questions, feel free to reach out at [email protected] 😊