Happy autumn! We’ve been busy at DomainTools bringing new features to our products, and we’d like to share some things we’ve recently added to Iris Investigate. Many of these items were requested by practitioners, so this is a good reminder that your DomainTools team is always interested in your feedback and feature requests!
Domain History
Domain History is a new feature in Iris Investigate that shows how a domain has evolved over time. This can help investigators see when a domain potentially becomes malicious by tracing who controlled it, where it was hosted, what web content it provided and more. History records can provide a “missing link” to find elusive ownership details or to confirm connection to other domains or IP addresses. Domain History is a new tab in the Iris Investigate UI when viewing data for a domain.
Domain History is an improved replacement to the legacy Hosting History feature – it covers many more fields and works for all domains tracked by DomainTools. The tracked data elements include:
- Status – when a domain is seen as newly active by DomainTools, or when a domain becomes inactive
- Whois data – create/expiration dates, registrar and registrant names, contact emails, and more
- DNS data – results of daily DNS resolutions for A, NS, MX and SOA active resolutions
- Web content – website title, response code, server type, trackers, and more
- Screenshots: The date/time when a new screenshot is captured
- SSL Certificate updates
Each data element is tracked for differential changes. For instance, with the daily DNS active resolution checks, each day’s results are compared with the previous day’s results. If they are identical, no history update is made. However, if one element changes, a new “differential” record shows the difference between the old and new results. The application shows which specific element was removed from the previous version, and what the added elements are in the new version.
Domain History includes powerful filtering that allows users to target specific history events of interest. For instance, you could filter for just DNS changes, or more specifically, for just IP address changes. Domains with some providers will have frequent IP changes due to round-robin cycling of IPs. To be even more specific, you can filter just for IP address changes when the associated ASN, ISP or even country code changes. This would filter out the “noise” of daily changes to just the IP address itself and let you focus on when the underlying hosting infrastructure changes. Similar filtering can be done across data types like NS, MX and Whois records.
The one caveat for Domain History is that it’s new, so you should think of this as a feature available for domains that are being created now, and going forward. In reality, it does look back a ways: DNS and Whois data started in Fall 2021, SSL Certificate data in early 2022, and web content in 2023. And, of course, we still have 20+ years of historical Whois records available, and the legacy Hosting History can be accessed in the Investigate UX if needed—that data didn’t go anywhere!
More Web Trackers
We added gathering for multiple web trackers to improve the overall breadth and depth of web content that we capture. The following new tracker codes started being captured in September of 2023:
- Google Analytics 4
- Google Tag Manager
- Baidu
- Hotjar
- Matomo
- Statcounter
- Yandex
Trackers are updated whenever a new screenshot is captured – as is all web content, including SSL certificates. Multiple values are supported for each new tracker type, and all are available as guided pivots and can be used in advanced searches.
Tracker data is also included in both the Iris Investigate and Iris Enrich APIs.
SSL Certificate Enhancements
We made multiple improvements to SSL Certificates. We now capture certificates faster for newly active domains, enable users to trigger certificate gathering themselves, provide new options for searching certificate data, and we’ve updated how certificate data is displayed in the Investigate web application.
A key enhancement is capturing certificates at the same time screenshots are gathered: we automatically take screenshots of all newly active domains – a big win! This means that certificates for those domains will now be available within minutes of the domain being discovered as active, a huge improvement in certificate gathering speed for those domains.
Since certificates are automatically gathered with screenshots, users can trigger updates on their own. We have relabelled the “Update Screenshot” control to now be “Update Domain.” For either a single domain or multiple domains (using checkboxes in Pivot Engine) users can kick off gathering for screenshots, web content, and SSL certificates. (And see below for the Whois update!)
We have expanded the searchable fields for certificates – you can now use Advanced Search to filter for domains with the following SSL certificate characteristics:
- Issuer Common Name
- Subject Common Name
- Subject Alt Names
- Not Before and Not After validity dates
- Duration of certificate validity
We made two key improvements in displaying certificate data. First, Pivot Engine now includes columns for Issuer Common Name and Subject Alt Names to provide faster context on domain certificates. We’ve also added a certificate “inspect view:” next to certificate hashes we now show a magnifying glass icon. Clicking on it pops up a window displaying full details for the certificate – providing a faster path for you to dive into SSL certificate details when you need them.
User-Triggered Whois Record Gathering
Selecting the “Update Domain” control for one or multiple domains will now trigger a Whois lookup in addition to screenshot, web content and SSL certificate. This can be especially helpful if you want to get current records for multiple domains – Pivot Engine lets you select up to 500 domains in a single page and trigger a refresh. If you have more than that, you can repeat the process on multiple pages.
CIDR Range Queries in the pDNS Panel
Sometimes you want to see pDNS results for more than just a single IP address. The pDNS panel in Iris Investigate now lets you query for a CIDR range – for instance 63.150.103.144/29. Remember to search with the “search by response” option to see results for the range. And yes, you can search on a /8 (or even a /1, for that matter), but remember, the panel only loads 500 rows by default!
Iris Investigate and Enrich API Enhancements
The new data features mentioned above for Iris Investigate are equally available in the Iris Investigate and Enrich APIs. The following fields are now included in API responses:
- SSL Certificate fields:
- Issuer Common Name
- Subject Common Name
- Subject Alt Names
- Not Before and Not After validity dates
- Duration of certificate validity
- New web tracker codes:
- Google Analytics 4
- Google Tag Manager
- Baidu
- Hotjar
- Matomo
- Statcounter
- Yandex
We continue to bring new capabilities to Iris Investigate and Enrich to make them more powerful in helping customers identify and manage malicious internet infrastructure. If you have any questions, please contact us at [email protected]
