While summer brings to mind hot beaches and cold beverages, we spent a lot of the last couple of months working on a set of new features for our Iris Investigate users, and they are now available to you to try out! Actually, some of them rolled out back in July, but we’re considering the sets of features from July and the newest set, released in September, as part of a larger Summer 2019 feature set.
There were a couple of significant themes to these features. Perhaps the most important is getting passive DNS (pDNS) data in front of the user as early in the investigative process as possible. Another theme was enhancements to various ways in which data from Iris Investigate can be viewed/used outside of Iris Investigate. As well, we made efforts to get domain risk and age stats into more views than before.
Ultimately, the goal is always to get you to the answers you seek as efficiently and effectively as possible. Whether you’re profiling a new adversary attack campaign, trying to characterize threat actor groups, or exploring potentially malicious infrastructure, the more you can know about it, in the fewest clicks, the better. We hope you’ll agree that these new features help with that.
The first set of Iris Investigate Summer 2019 features debuted on July 25. Here’s an overview:
- The Domain Inspector view is now tabbed, for easy access to Whois History, Screenshot History, Hosting History, and SSL Profile, in addition to the familiar domain inspection view. This is very convenient for customers who want to do a fast ad-hoc lookup of a domain without necessarily starting an investigation.
- The IP Profile and Inspector now include the average Risk Score and average domain age. For customers doing searches on IP addresses, this small but important change helps them characterize the IP more quickly.
- The .pdf investigation report now has the average Risk Score and average domain age. This is helpful when a team is sharing their findings with others in their organization who are not Iris users.
- Tags are now included in the .csv export from Pivot Engine. As we expect Tags to become an increasingly prominent part of the decorating data in Iris investigations, this will allow the Tags to flow into other reports, documents, or applications that customers use in concert with Iris.
With the September release, seeing more detail on DNS resolutions in almost every kind of Iris search is enhanced:
- When searching on a domain, the Domain Inspector and Domain Profile show a pDNS Preview, with the five most recently-observed hostname resolutions displayed in the Inspector/Profile and a link to the pDNS panel to get complete pDNS results.
- When searching on an IP address, the IP Inspector and IP Profile also show the five most recent hostname resolutions observed with that IP address.
- In the case of a search that yields no Pivot Engine results (no active resolutions found on that IP), when pDNS does have data, the five most recent resolutions are shown on the Pivot Engine, with a link to pDNS for full results.
- In the pDNS panel, on domain queries, subdomains are now shown by default. The user has the option to show just the apex domain if they wish.
There are two enhancements for exporting data in various ways from Iris:
- The Domain Inspector includes Print controls on each of the tabs, in case you wish to keep a .pdf or printed record of data on specific domains.
- You can now custom-tailor which domains are included in a .csv export by using the multi-select feature in Pivot Engine before initiating the .csv download.
- In the Domain Inspector and Domain Profile views, all Guided Pivots now have a risk indicator. This lets you quickly identify pivots that have a high average risk tied to them.
And finally, we also added Domain Tags to the Stats view.
As summer gives way to autumn, rest assured we’re at work on yet more Iris features to help you carry out your security duties!
To learn more about enhancements to Iris, join Mike Jones, VP of Product and Taylor Wilkes-Pierce, Senior Sales Engineer on October 1st at 10 AM PT/1 PM ET.