Dashboard visualization of Iris Investigate

Part I: Product Description

Overview

Malicious and suspicious online activities cause untold harm and financial damage, and  many threat actors are proficient at hiding or, at the very least, maintaining a low profile. However, no matter how good their OpSec (operational security), threat actors leave a trail of information in their wake. Analysts and investigators, whether tasked with defending organizations or going on the offensive against threat actors, must make threat assessment decisions, or draw inferences, related to suspect infrastructure or identities, based on the best available information. DomainTools Iris Investigate unites the world’s largest domain profile data store with query tools that complement and enhance natural investigative workflows.

Domain/DNS/IP related investigations can take many different forms and go in many different directions in the pursuit of pertinent and helpful information. Threat Hunters or analysts in a SOC/NOC (Security/Network Operations Center) may be poring over threat indicators in order to assess risk level and define appropriate defensive postures—often in real time and under considerable pressure. In cybercrime investigations, attribution—knowing “who really is” behind observed activity on domains or IP addresses—can be a key goal, whether to prosecute a threat actor or as a means of assessing the risk posed by a particular entity. In all cases, these kinds of investigations frequently involve sifting through many different pieces of data to “connect the dots” and track down a useful identity or profile of the subject.

Iris Investigate’s design is heavily influenced by close work with some of the world’s best cyber intelligence investigators to understand and build upon their workflows, objectives, and operating constraints.

Jump to Section

Part I: Product Description Overview

Key Concepts

Getting Started

Iris Investigate API

The Iris Investigate Interface

Reverse MX

Part II: Example (Fictitious) Investigation Sequence

Key Concepts

There are some concepts and metaphors in Iris Investigate that will become central to your use of the product. It will be helpful to familiarize yourself with these ideas as an introduction to the product itself.

  • Search: The entry point to most investigations is some piece of data, be it a domain name, an IP address, person name, etc. Iris Investigate’s search box accepts any of the above, and many more, as starting points for your investigation. The search function makes an intelligent guess as to what type of data is entered (e.g. domaintools.com is interpreted as a domain; 4.2.2.2 is interpreted as an IP address, etc) and presents the results of that search, from which you can then begin deeper explorations.
  • Investigation: An investigation is the organizing “container” for all of the query operations you do related to that effort. However, you can also perform ad-hoc searches without naming the investigation.
  • Data Panels: Various categories of information, or interpretive presentations of data, are shown in panes called Data Panels, which you can rearrange and resize as you wish. Example Data Panels are the Pivot Engine table, pDNS, Visualization, Whois History, and Stats.
  • Pivoting: The concept of a “pivot” is fundamental to many investigations—that is, given a starting point, discover connections to one or more related items. For example, if the starting point is a domain lookup, a common pivot is on the email address of the registrant of the domain. This pivot shows all of the other domains in the DomainTools database that are connected to that email address. Many datapoints serve as pivots—IP addresses, registrant names, name servers, etc. Most data types shown in Iris Investigate can function as pivot points.
  • Operations Menu: Many of the datapoints enable pivots or other explorations. You can right-click these datapoints to invoke an Operations Menu that provides options for advancing the investigation—usually to perform a pivot, enable a filter, or see further detail about the datapoint. The menu also includes a Copy to Clipboard option for copy/pasting – and if the copied data in a domain name or IP address, the content is automatically defanged (domaintools[.]com) to align with best practices in cybersecurity.

Getting Started

https://iris.domaintools.com/investigate

Iris Investigate requires an Enterprise account login on DomainTools, and your account must include Iris Investigate access. Once you have logged in to Iris Investigate, the initial landing page displays a search box, which allows you to begin your investigation from some of the most common entry points:

  • Domain name (single or list, comma or space delimited)
  • IP address (single or list, comma or space delimited) or range
  • Registrant name (person or organization)
  • Registrant email (single or list, comma or space delimited)
  • Name Server
  • Registrant phone number
  • SSL Hash

Entering one of these query types brings you to the main Iris Investigate interface, with data panels displaying (or ready to display) search results.

You can also open an existing investigation from the landing page, if you have previously created one.

Iris Investigate API

For automated or custom tools that can make use of Iris Investigate data at a scale consistent with interactive investigations (as opposed to high-volume enrichment), an API endpoint providing the same datasets as the Iris Investigate UI is available. Click here for more information about the API.

The Iris Investigate Interface

The interface has four major sections:

  • Search and Search History
  • Data Panel Ribbon 
  • Data Panels
  • Navigation Menu

1) Search and History 2) Data Panel Ribbon 3) Data Panels 4) Navigation Menu expanded

Search and Search History: The search box accepts simple queries such as a domain name, IP address, or email address. Advanced search accepts multiple parameters and combines them as boolean “and” or “or” searches. Guided inputs let users specify which field to search with a given input, by providing a parameter directly in the search field. Guided search inputs can also be passed by URL (see “Appendix: Guided Search and URL Query Parameters”, below). Search history records a “breadcrumb” trail of the investigation’s queries and pivots. It can retrace the steps and explore different branches of investigation, and create a record of the steps that led to a particular conclusion. Each node in Search History accepts user notes. Prior searches are revisited with the “Back” button on the far right.

Panel Ribbon: Choose which panel to view. 

Data Panels: This is where you conduct your investigation by working your way through searches, filters, and pivots. Each Data Panel has a specific purpose and set of information that it displays.

Navigation Menu : You can create or open investigations, start an ad-hoc search, adjust the layout, or return to the home page from the navigation bar. Click “Iris Investigate” in the upper left corner to open the Navigation Bar.

Iris Investigate Themes: Selecting Light or Dark Mode

Iris offers both a Light and a Dark mode, which you can choose according to your preference. You can choose the mode from the Help section, found in the left-hand Navigation bar. In this User Guide you will find some screenshots showing Light Mode and others showing Dark Mode.

Arranging The Data Panels

Ordering Panels: The Panel Ribbon is below the search and history; it lists each panel name horizontally. You have flexibility to control the ordering of all the panels except for Pivot Engine, which is anchored on the far left. To change the order, from the Panel Bar, drag and drop a panel’s title to the desired new position. 

Example: moving Visualization next to Pivot Engine

Panel Sizing: Each data panel can be configured to display as small, medium, or large. To make adjustments, click the sizing icon in the right side of the panel title box.

Or if you place your cursor between panels, the size selector will appear and you can adjust panel sizing from there. You can also double-click on the panel title box to change the size. 

A few details on how panel sizing works: The goal is to use as much of the available screen as possible to show data. The panel on the far left is considered the “active” panel; it is highlighted in blue and given priority for display. As you move across panels, if the far-left one is any size except large, the remaining screen space will display adjacent panels to the right. If you have a large monitor, you can get quite a number of panels displayed side-by-side if you wish. 

Resetting the layout: You can always restore the default or any of the preset layouts by clicking the menu control on the far right of the Panel Bar. You can either reset the order or the sizes of panels to the default. 

Search History

Search trails are displayed in the Search History bar, with the current (or most recent) search at the right. Each node in the history graph represents a specific query. If your search has multiple branches, those branches will show below the corresponding node they branched from. Iris Investigate allows for multiple branches, and the history bar allows you to navigate across the entire history.  

You can click the right and left arrows in the search history bar to move forward and backward in the queries recorded in the history trail.

  • Clicking a history node revisits that query, populating all the Data Panels
  • Hovering over the node invokes a tooltip that shows details about the query, and allows you to highlight or remove the node.

Passive DNS (pDNS) queries are depicted as blue “document” icons. Other queries are depicted as green circles. 

  • You can expand the display by clicking the Open History at the far right of the display. The display provides a dedicated view of all branching in the current search. 

Search Notes

You can add notes to any node in Search History. You can use notes to remind yourself of interesting aspects of a search, or to share information about the search with other users in your group if the investigation is shared. When notes exist for a node, a number on the node indicates how many notes it has. The search nodes in your investigation history also indicate (with a number bubble) the Search Notes count, as well as the nodes Marked as Important.

  • The character limit for each note is 300. However, you can add multiple notes per search node. If the investigation is shared, any member of the group may contribute notes.
  • If you enter an IP address, domain name, or email address in your notes, Iris Investigate enables Operations Menus so that you can search or filter directly from the notes.
  • The Search Notes Drawer appears on mouseover of a search node, and provides access: to Search Notes; the Mark as Important button; the Export to Clipboard button which exports the search hash.

Search History trail logic

  • Normally, each new query adds a node to the right of the previous nodes.
  • When you revisit an earlier query and then make a new query, the path branches, with the latest node on the branch below the initial one.
  • Green indicates the active path. When you revisit an earlier query, node(s) to the right of the revisited node turn yellow as an indication that they may be abandoned paths. If you revisit a yellow node and make a new query, it becomes active (green) again.
  • When you click “Delete,” you have the option of deleting just that node, or that node and all children.

The “Mark as Important” button places a marker on that node of Search History to make it easy to spot and revisit interesting results sets.

You can create a new, empty history branch by clicking the + button. Your next query will be the root node of the new branch. You can also start a new branch with the current node as the root. To do this, click Manage History > New History Branch > Start it with the Current Search

NOTE: Once you delete a node or a branch, it cannot be recovered.

Pivot Engine

The Pivot Engine is at the heart of many investigations in Iris Investigate. It is an interactive display that enables many different investigative functions, including sorting, filtering, inspecting (via Whois and other tools) and perhaps most importantly, pivoting on various datapoints.

Table Columns (Fields)

By default, the table includes all fields:

  • Domain
  • Status (active or inactive)
  • Tags
  • Lifecycle First Seen (“First Seen” – when DomainTools discovered the domain became active.) 
  • Risk Score (proprietary Domain Risk Score)*
  • Email (registrant email)
  • Email domain
  • Contact Information (registrant, admin, tech, billing, SOA, etc)
  • Registrant
  • Registrant Organization
  • Registrar
  • Registrar Status
  • Create Date
  • Expiration Date
  • Name Server
  • IP (Address, ISP, ASN, Country)
  • Trackers – the following web trackers are gathered with screenshots:
    • Google Adsense
    • Google Universal Analytics
    • Google Analytics 4
    • Google Tag Manager 
    • Baidu
    • Facebook
    • Hotjar
    • Matomo
    • Statcounter
    • Yandex
  • Rank
  • Website Response
  • Website Title
  • Server Type
  • Redirect
  • Redirect Domain
  • MX (Mail Exchanger) Information
  • SSL certificate Hash
  • SSL certificate Organization
  • SSL certificate Subject Alt Names
  • SSL Certificate Issuer
  • TLD (to enable sorting/filtering by TLD in large result sets)

*NOTE: Risk Score is an optional add-on to Iris Investigate. Without this add-on, this column is labeled “Proximity” and reflects only the domain’s level of connection to known-malicious domains.

You can control which fields/columns are shown by clicking the Settings menu at the upper-left corner of the Pivot Engine, and then selecting Views from the menu. Use the checkboxes to choose which columns you wish to see.

You can choose from among several pre-defined views, or save your column selection as a custom view. You can also re-order the Pivot Engine columns by clicking the Ordering button from the same menu.

NOTE: Not all domains will have data for all fields. DomainTools attempts to collect the information represented by each column, but in most cases at least some of the fields will be empty. Domains vary widely in how they are registered and provisioned.

Working with the Table

New investigations always begin with a search on some term. If the term is found in the DomainTools Iris database, the relevant results are displayed in the table (and in other Data Panels as discussed later). Once you have some results to work with, there are several kinds of interactions you can perform from the Pivot Engine table.

You can populate other data panels (such as Domain Profile and Whois History) with details about a specific domain by clicking the domain name in the table. If only one domain matches your query, these details are shown by default.

Operations Menus

Many datapoints in Iris Investigate have an associated right-click Operations Menu.

The Operations Menus offer choices that relate to the datapoint you have selected. All Operations Menus include an option to copy the selected value to your clipboard for pasting anywhere you wish. Data points with domains and IP addresses will automatically be de-fanged for you to prevent unintended visits to those locations. Operations menus also include filters controls (described below), and some datapoints have additional options, such as IP address-related tools or domain-related tools. Operations menus also show how many domains in the DomainTools database match the selected datapoint.

Tagging Domains

Iris Investigate allows you to add your own Domain Tags, in order to add context to domains you’re investigating, and to enable searching and filtering by Tag. You can add Tags from the Pivot Engine, from Domain Profile, or from the Inspect View. In Pivot Engine, you have the option to add multiple Tags by selecting domains via the checkboxes in the Domain column. “Add Tag” appears in the Operations Menu for a domain name, as well as in the selection bar at the top of Pivot Engine when you have selected domains via the checkboxes. You use similar controls to remove Tags. If you wish to add or remove a Tag, begin typing the Tag name, and Iris Investigate will display any matching Tags. Tags are also visible in the Stats Panel.

You can manage your Tags via Tag Manager, which is available from the Navigation bar. In Tag Manager, you can see all tags you or anyone in your group has created, and can also see any Tag Descriptions that may have been added by users. When you select a Tag, you also see any domains associated with the Tag, and you can initiate a new search or a pivot on those domains.

Additionally, Tags are available in the Stats panel and can be selected or unselected from the Pivot Engine for exportation into .csv.

NOTE: Tags are shared at the Group level. This facilitates collaboration among team members. Tags are not shared outside of your Group, so if you export an Iris Investigate investigation hash to a user outside of your group, they will not see your Tags. Group sharing of Tags is independent of the Shared Investigations feature.

Pivoting on Datapoints:

Most cells in the table allow you to “pivot” on that datapoint in order to advance your investigation by selecting “New Search” on the Operations Menu for that item.

Example: Suppose that we want to learn more about the organization behind the domaintools.com web site:

  1. Begin with a search on the term “domaintools.com.” This returns a single row in the table reflecting all of the known datapoints for domaintools.com. In the Email column, you can see that an email associated with the domain is [email protected].
  2. Right-click the email address and, from the Operations Menu, select “New Search.” This is a “pivot” on the email address.
  3. The table now shows each domain tied to [email protected].
  4. “Expand” also facilitates a pivot, by including the original domain and adding any others that match the selected datapoint.

Guided Pivots: to help you quickly identify potentially valuable pivots, Iris Investigate highlights any pivot that connects to 500 or fewer domains. This threshold of 500 is configurable to a lower value, and the guides can be turned off entirely if desired. You configure Guided Pivots from the Settings menu at the top-left corner of the Pivot Engine. The thresholds for highlights can be configured per-field or globally. For each of the Guided Pivots, the average risk of the associated domains is shown as a quick indicator of severity.

Pivot Preview: when you open the Operations Menu from a Guided Pivot, you can open a preview of the domains behind the pivot before actually doing the pivot. When you click the magnifying glass icon, a preview window opens on the right side of the screen. This preview shows the domain names and Domain Risk Scores for the domains “behind” the pivot. This view also shows how many of the domains behind the pivot are already part of your results set. With additional context on the average risk and age for the set of domains.

Filtering from within the table:

The Operations Menus contain the commands Narrow Search, Expand Search, New Search, and Exclude. These provide the same functions as in the filters in Advanced Search, but with the convenience of allowing you to explore from within the table itself rather than having to copy and paste the term into the filters control. “Narrow Search” means that the new search must match both the original search term and the item you just clicked (it performs a logical AND on the two terms). “Expand Search” means that the new search can match either the original search or anything that encompasses the item you just clicked (it performs a logical OR on the two terms). “Exclude” removes any domains that contain the datapoint you wish to exclude.

The Filters display above the table shows these filters. Green boxes connected with a horizontal bar represent logical “OR” queries, and boxes not connected to others represent “AND” statements. (This may seem counterintuitive to some users, but the connected boxes represent an expanded filter, while the disconnected boxes represent a narrowing.)

Click the “X” next to a filter term to refresh the results with that term eliminated.

Column Sorting:

You can sort on most columns in the table. Clicking the column header toggles ascending/descending sorting.

A note on sorting the Email and Email Domain columns: a given domain may have several different email addresses associated with it. This has important implications for sorting these columns in the Pivot Engine Table. The sort logic looks at the alphanumerically lowest/highest email address, and puts the domain containing this address in the first row (or last, depending on ascending vs descending sort). Next comes the domain with the second lowest/highest email address, and so forth. Thus, the first row of the table won’t necessarily contain all of the lowest/highest ranked email addresses in the entire table—it will contain its “own” email addresses, one of which will be the one that matched the sorting rule.

Example: Ascending sort. Domain A has emails “[email protected]” and “[email protected]” while Domain B has emails “[email protected]” and “[email protected].” Domain A is the first row of the table, because “01abc” beats “alice” as the lowest alphanumeric value.

Descending sort, same domains: B is at the top, since “bob” is tied for highest in both, but “alice” from B is alphanumerically higher than “01abc” from A.

This logic works the same for “Email” and “Email Domain.”

NOTE:

  • You cannot sort on the Name Server column.
  • The Pivot Engine table does not support nested sorting at this time.

Pagination and Results Set Sizes

Iris Investigate supports searches that can return a large number of results. When a search returns more than 500 rows in the table, the results are paginated, which each page capable of supporting up to 500 rows (domains).

Because of the flexible nature of the search filters, it is also relatively easy to create a search that is overly broad. For example, a search on one of the larger privacy service email addresses, or a partial phone number, would be too broad. In such cases, Iris Investigate returns an error asking that you narrow your query. Generally, performing a search within an initial result set (by creating a logical AND filter or by pivoting on a datapoint) will give good results.

Historical Reverse Whois Queries

DomainTools has been collecting data on domains since the early 2000s. In addition to current records, Iris Investigate can find historical records matching email address and registrant information queries. Specifically, the three query types supported are email address, registrant, and “Whois record contains.” By default, historical search is enabled, but you can disable or modify it from the Pivot Engine Settings menu:

Global control for historical searching: You can disable or enable historical searches globally by clearing the checkbox at the top. You can also control the three supported query types individually.

Per-search override: on an individual search, you can enable or disable historical queries on the three supported fields. To override, open the Advanced search controls, click the history icon, and re-run your query. Keep in mind that only the three query types listed above are eligible for historical searches.

NOTE: with historical searching enabled, you will sometimes see domains in the Pivot Engine that do not match your query. The reason for this is that at some time in the domain’s history, it did match the query. To see the record(s) where the domain matched the query, click “See Historical Matches.” This opens Whois History to the most recent record that matched your search term.

Active and Inactive Domains: Iris Investigate will indicate when a domain is inactive with an icon near the domain name in Pivot Engine, and in the Status column. To be marked inactive, the domain must not be registered and must not be delegated in DNS. Because there can be unusual cases in which registered domains do not resolve, or where unregistered domains do resolve, both conditions (not registered, not delegated) must be true for the domain to be marked inactive.

Advanced Search Controls

The advanced controls allow you to stack multiple filters to refine the results of a specific search, and also allow you to set preferences on the display of the data which persist across searches.

Filters: The filter at the top is the original search term; you can then refine your search by adding more filters. For each filter, you select the field and the match rule for that field. For example, your field might be “Registrant” and your match rule might be “Matches” or “Does not match.”

A powerful way to gain insights is to combine filters, which allows you to tailor the search to the exact information you seek. There are two ways in which filters can be combined:

  • Expand your search is a logical “OR” between the new filter and the one above it. For example, you could use “Expand your search” to find any domains whose registrant is “[email protected]” or “[email protected].”
  • Narrow your search is a logical “AND” between the new filter and the one above it. For example, you could search for domains whose registrant is “[email protected]” and which were created on or after July 4, 2002.

Some of the fields/columns, such as the risk score or the date fields, support quantitative matching rules such as “greater than,” “equal to,” and the like.

The match rules vary by field, but in general, the following are available:

  • Begins With
  • Matches
  • Exactly Matches (case sensitive)
  • Does Not Match
  • Does Not Exactly Match (case insensitive)
  • Contains (matches if any term in the query is found)
  • Contains All
  • Does Not Contain
  • Does Not Contain All
  • Ends With
  • Greater Than
  • Greater Than or Equal To
  • Matches (“Equal To” for quantitative fields)
  • Equal To or Less Than
  • Less Than
  • Exactly

The field First Seen and Create Date support a special option: “Within”. This lets you set up relative time searches. For instance a search set to show domains with a First Seen within the “Last Day” will return domains that were discovered as newly active within the last 24 hours (localized for your timezone). This can be useful if you have an advanced search that you repeatedly run but want to filter to see just new domains for that search. 

Another useful search method in the Advanced controls allows you to find a set of domains that contain a specific string or keyword. For example, by selecting the field “Domain,” the rule “Contains,” and the string “domaintools,” you can see all domains that contain that string within their names. You can specify whether the keyword appears at the beginning, end, or anywhere within the domain name.

Note: A maximum of 2048 filters are allowed per single advanced search. If additional filters are required, we suggest splitting the filters across searches.

Downloading Pivot Engine Results

The data from the Pivot Engine may be valuable for you to use in other systems, for sharing with a trust group, or for further analysis. The download control is near the upper-right corner of the Pivot Engine table. You can download the contents of the Pivot Engine in three formats:

  • As a .csv file
  • As a STIX 1.2 document
  • As a STIX 2.0 document

NOTE: Some fields in the Pivot Engine contain multiple values. Examples are IP address and Name Server. In order to accommodate multiple values, you may see some columns repeated in the .csv export. This maintains a single value in each cell of the .csv table.

For more information about STIX, please refer to https://stixproject.github.io/

Domain Profile Data Panel

While the columns of the Pivot Engine table show a wealth of information about the domains under review, it can be handy to see key information about an individual domain in a single pane. The Domain Profile data panel provides such a view. It is invoked by clicking the domain name cell in the Pivot Engine table, or by double-clicking a domain node in Visualization. It can be viewed in small, medium, and wide widths (medium shown here).

The Domain Profile panel shows the following information:

  • Domain name
  • Risk/Proximity score
  • Screenshot
  • Recent Passive DNS resolutions
  • Dates: First Seen date/time, Whois Create Date and Expiration Date
  • Email address(es)
  • Registrant Organization
  • Registrar
  • Registrar Status
  • Name Servers
  • IP addresses
  • IP location
  • ASN
  • Whois History summary
  • Website title and server type
  • “Raw” Whois record

You can right-click many of the datapoints to invoke a context-appropriate Operations Menu. For the History summaries, there’s a control to take you to the corresponding data panel.

Passive DNS (pDNS) Data Panel

Some of the most valuable information about infrastructure often comes from passive DNS data. By showing current and past domain to IP resolutions and date stamps bracketing when a given resolution was observed, pDNS can help investigators build maps of threat infrastructure, and to characterize individual or multiple domains or IP addresses. In the case of an IP address, knowing what domains are hosted on it (and have been previously) can help gauge the threat level of the IP address, and in the case of a domain, knowing which IPs the domain or hostname has resolved to can help an investigator learn more about the domain. The pDNS Data Panel works interactively with other Data Panels such as the Pivot Engine or Visualization.

The pDNS data in Iris Investigate include the following record types:

  • A: IPv4 resolutions for domains and subdomains/hostnames (by default, the pDNS panel shows A records only)
  • AAAA: IPv6 resolutions for domains and subdomains
  • NS: name server
  • SOA: Start Of Authority email addresses and name servers
  • MX: Mail server host names and IP addresses
  • CNAME: alias records mapping one hostname to another
  • TXT: optional catch-all record that may contain arbitrary descriptive information

There are two main ways to query pDNS data: directly or as a pivot from elsewhere in Iris Investigate.

  • Direct: in the main Iris Investigate search box, or in the pDNS Data Panel, you can enter a term in the search box, and work with the resulting data set.
  • As a pivot: you can invoke an Operations Menu on a domain or IP address from anywhere in Iris Investigate and query pDNS for resolution data for that domain or IP. The data appears in the pDNS Data Panel.

Query vs Response

In general, when you are interested in a domain name, the most interesting records are the A records giving the IP address(es) for that domain. Likewise, when you are interested in an IP address, the most interesting records are typically the A records for all domains that resolve (or did resolve) to that IP address. Each of these cases looks at the A record from a different “direction.” In the pDNS panel, this is handled by the query/response toggle next to the search box.

Example:

  • Domain (or hostname) as starting point: the query setting gives you the IP addresses that correspond to the domain. The same domain appears in every row, because the domain was the query, and the IP address(es) are the response.
  • IP address (or CIDR range) as starting point: the response setting gives you all of the domains for which this IP address/CIDR range was the response–in other words, all of the domains hosted on the IP.

Reversing these typically doesn’t yield many records–often none. This is because in DNS A records, domain is the query and the IP address is the response. If you enter a domain with the toggle set to response, or an IP address with the toggle set to query, if no results appear, try flipping the toggle and re-running the search.

NOTE: In technical terms, the query is the rrname, the type of record is the rtype, and the response is the rdata.

Sorting and Filtering

You can sort the columns in the pDNS table to bring the most relevant items to the top of the table. You can also use the filter controls above the table to narrow the data down toward the specific answers you seek.

Sending to Pivot Engine

When you develop a set of results in pDNS and want to know more about the domains in the results set, you can click “Send Domain Results To Pivot Engine” to look up that set of domains. There are three options:

  • As new query: this performs a Pivot Engine search on just the domains from the pDNS panel
  • As a logical OR to the existing query: this expands an existing Pivot Engine query to include any domains from pDNS that were not part of the existing query
  • As a logical AND to the existing query: this narrows an existing Pivot Engine query such that the query is the intersection of the existing Pivot Engine filters and the domain(s) sent from pDNS

NOTE: While the command is labeled “Send Domain Results To Pivot Engine,” the resulting query will also be observed in Visualization, Stats, etc

SSL Profile Data Panel

SSL certificates are an excellent means of characterizing domains and finding connections to related infrastructure. The SSL Profile data panel lets you examine certificates in detail, and in some cases, to find additional pivots that would not have been available elsewhere.

When DomainTools finds more than one certificate on a domain, Iris Investigate shows the certificates in separate tabs.

The additional pivots from an SSL/TLS certificate are found in the Subject Alternative Names section. From this section, you can right-click any of the domains to open an Operations Menu. If you wish to examine all of the domains from this section, you can click the button pictured below to send all domains to the Pivot Engine. This way, you can find out more about the registration, infrastructure, and web metadata for the domains.

Visualization Data Panel

It is often important to identify and interpret relationships among domains, registrants, IP addresses, and other datapoints. While the Pivot Engine table generally contains the data that defines these relationships, it can be difficult to gain fast insights when relying solely on the table. The Visualization Data Panel depicts relationships and connections graphically, and allows you to revise your queries from the nodes on the visual graph.

Domains are always represented by blue dots visualizations; the color-coding for the others can be seen in the legend in the upper left. A domain can either be a larger or normal sized dot. The larger dots represent domains with high risk scores of 70 or higher. The legend also shows how many instances there are for each field in the graph. Select Edit Fields to choose up to 4 fields (plus domain) to view. 

Node Inspector

Use Node Inspector on the right to view the values for each of the fields. You can search for a specific value or filter by field. Node Inspector also shows guided pivots so you can progress your search directly from the Visualization pane. 

Link Degree

The Link Degree in the lower-right lets you filter out data that either have too many or too few connections. Filtering out data points that have too many connections can be useful if many domains that share the same data point, causing too much noise in the visualization. Filtering out data points that have too few connections can help bring focus to specific clusters of domains that may be more difficult to identify otherwise.  

Example: if three domains share one IP address and four domains share another IP address, by moving the Link Degree Minimum to four, you filter out the three domains sharing the first IP Address.

Pivoting and Filtering From the Graphs

You can right-click a node in the graph to invoke an Operations Menu, which allows you to pivot, filter, etc.

Manipulating the Graphs

Double-clicking a domain or IP address node puts that item into its respective data panel. When you hover over a node on the graph, that node and those directly connected to it are highlighted. You can zoom in and out on the graph, and you can also drag an item in the Force layout in order to put the most interesting data in the center. 

You can see a full list of graph controls by clicking the ? button.

Stats/IP Tools Data Panel

Stats

When a query produces a results set of two or more domains, it can be helpful to see aggregate statistics on certain key datapoints, to identify clusters of related objects or to spot patterns.

The Stats Data Panel shows the number of occurrences of datapoints within the displayed results set. In some cases, such as date fields and risk score, domains in the result set are grouped in sets, rather than by individual values.

Each of the data types is represented graphically (a map for IP country and pie charts for all others) and in a table. Hovering over an item in the graph highlights the corresponding datapoint in the table and vice versa. The graphs and tables also depict the relative (graphs) and absolute (tables) number of occurrences of each value in the results set.

Right-clicking any datapoint invokes the corresponding Operations Menu. You can select any of the operations to continue your investigation.

In the settings menu within the Stats Panel, under Sorting, you can choose to have guided pivots ordered first. This can help you find guided pivots in the data sets that can lead to more insights within your investigation. 

NOTE: Stats aggregates data for up to 2500 records (domains). For results sets over 2500 domains, Stats covers only the first 2500 domains.

IP Tools and IP Profile Data Panels

IP Profile is analogous to the Domain Profile panel. It provides key datapoints, as well as the raw Whois record, for the IP address. You can pivot on the IP itself in order to modify or begin a search on that address.

There are three tools available in the IP Tools Data Panel.

  • Ping: It can be useful to ping IP addresses from a source other than your own location. This generally tells you whether the IP address is reachable, and since the pings originate from DomainTools rather than from your own computer, the target IP address has no record of your location in pinging it.
  • Traceroute: As with Ping, you can see the results of a traceroute performed from DomainTools (rather than from your own computer). This can give insight into hosting, routing, and reachability of the IP address.
  • PTR: The DNS Pointer (PTR) record is commonly used as a form of Reverse DNS lookup. It shows the CNAME of the IP address, which tells you about the actual owner of the address (often a hosting provider) but not necessarily about the domains that may be hosted on that address.

In most places where an IP address is displayed across Iris Investigate, a magnifying glass icon appears just to the right of the address. Selecting the icon will bring up the IP Inspect view, which is a fast way to view the IP Profile and IP Tools data for an IP address without losing your place in the UX. 

Whois History Data Panel

Investigations into who owns or controls a domain can be frustrated by private or falsified data in the Whois record for the domain. However, in many cases, an earlier Whois record shows useful ownership information. When such information is found, you can then take other steps to help establish whether the ownership information in the historical record corresponds to the current owner of the domain.

The Whois History Data Panel shows, by default, the current Whois record for the domain, with a vertical timeline of earlier dates for which DomainTools has a historical Whois record. You can click a date in the vertical timeline to see the Whois record from that data, or you can use the Previous and Next buttons to browse through the historical records.

View Changes: There are three different views that depict the changes between the currently-displayed and immediately previous Whois records. The Side by Side and Inline views highlight the rows in the Whois record that differ between the two records. Raw Records simply shows the two records side by side with no highlights.

Unique Emails: registrant email addresses from the Whois record are also displayed. You can right-click an email address to invoke a basic pivot Operations Menu (Narrow Search, Expand Search, New Search) for that email address.

Domain History Data Panel

Domain History shows how a domain has evolved over time. This can help investigators see when a domain switches to potentially become malicious by tracing who controlled it, where it was hosted, what web content it was providing and more. History records can provide a “missing link” to find elusive ownership details or to confirm connection to other domains or IP addresses.

Domain History is a replacement to the legacy Hosting History service – it covers many more fields and works for all domains tracked by DomainTools. The tracked data elements include:

  • Status – when a domain is seen as newly active by DomainTools, or when a domain becomes inactive
  • Whois data – create/expiration dates, registrar and registrant names, contact emails, and more
  • DNS data – results of daily DNS resolutions for A, NS, MX and SOA active resolutions
  • Web content – website title, response code, server type, trackers, and more
  • Screenshots: The date/time when a new screenshot is captured
  • SSL Certificate updates

Each data element is tracked for differential changes. For instance, with the daily DNS active resolution checks, each day’s results are compared with the previous day’s results. If they are identical, no history update is made. However, if one element changes, a new “differential” record shows the difference between the old and new results. In the panel, the removed element is indicated by red shading and a short vertical bar. The newly added element is shaded green and also has a short vertical bar. Unchanged elements have no special formatting.  

The above example shows new website title and certificate data was collected – with the updated website title making the domain appear much more risky than before! 

Domain History includes powerful filtering. Users can target specific history events of interest. For instance, you could filter for just DNS changes. Or more specifically, for just IP address changes. Domains with some providers will have frequent IP changes due to round-robin cycling of IPs. To be even more specific, you can filter just for IP address changes when the associated ASN, ISP or even country code changes. This would filter out the “noise” of daily changes to just the IP address and let you focus on when the underlying hosting infrastructure changes. Similar filtering can be done across data types like NS, MX and Whois records. 

There are two levels of filtering for Domain History. Using the settings (located in the upper right of the Domain History panel), choose which fields for which you want to see history events. This is where you could choose to only see history changes for IP ASN changes instead of events for any IP change. You can choose from over 50 options to target the history you want to see.

.

You can also quickly toggle between categories of history by selecting the drop-down in the field column header in the history table. The list of available options is linked to the data types you have already chosen from the settings window. This would let you quickly focus on say IP address changes or web content changes or something else of interest. 

Hosting History Data Panel

The Hosting History Data Panel has been replaced by Domain History and is no longer displayed by default. The newer Domain History includes far more fields and captures data for all domains tracked globally by DomainToolsHosting History does have one advantage: It includes a longer history record. If you feel you need to view Hosting History for IP, Nameserver and Registrar history, you can open the panel by selecting the Layout Preferences menu located to the far right of all the data panels.

Screenshot History Data Panel

You can often gain insights into a domain by looking at current or historical screenshots of the domain’s main Web page. The Screenshot History data panel provides an index of dates for which DomainTools has an archived screenshot for the domain. If Screenshot History is empty, you can also queue the domain for a screenshot, which will typically be available within 24 hours (often much sooner). NOTE: many domains under investigation are not safe to visit, but it can be valuable to see what their main pages look like. You can use the screenshot on the Domain Profile data panel to see the current screenshot without having to visit the site. When multiple historical screenshots are available, you can browse through them using the < or > buttons. You can also see all historical screenshots in a scrolling column by clicking “See all.”

Sharing Investigations

If you are a member of a group of DomainTools users within your organization, you can choose to share investigations with others in your group. You may also receive investigations that others have shared with you. Sharing is group-wide; that is, you cannot choose individual members of the group with whom to share an investigation.

By default, investigations are private. If you wish to share an investigation, open the left-side Navigation Panel and click the name of your current investigation and the Edit Investigation dialog will appear and include available sharing options.  .

You can share or unshare the investigation at any time. There are three levels of control you can give others:

  • Share this investigation with my DomainTools group: Others in your group can see the investigation as a read-only artifact; they may not perform pivots, deletions, etc. However, they can still explore the various Data Panels to see different aspects of the data.
  • Allow others to edit this investigation: Any other member of the group can do pivots, new searches, filters, etc. However, they may not delete any node in Search History.
  • Allow others to delete searches: All members of the group have equal privileges within the investigation, including deleting nodes in Search History. Only the original owner can delete the investigation itself or edit its name and description, but in every other respect all group members have equivalent privileges.

Seeing actions taken by other members

When an investigation is shared with you, you receive a browser notification, if your browser settings permit them. The investigation will also appear in your investigation list, grouped under the heading “Investigations share with you”.

When other users perform searches or pivots, those nodes appear in Search History with a sharing icon, and also trigger browser notifications. In the screenshot example below showing search history for a shared investigation, the second node was created by a different user.  

If you unshare an investigation, the investigation disappears for other group members. 

NOTE: Sharing does not affect the Data Panel organization of any other user. If Alice shares an investigation with her group, and notices something interesting in Visualization, others in her group will not automatically be directed to Visualization. If she wishes to point her findings out to Bob, Bob will need to make sure Visualization is open on his Iris Investigate instance.

Investigation Reports

You may wish to share the findings of your investigations with others inside or outside of your organization. You can create a printable report, exported as a PDF document, with the following information from your investigation:

  • Inspect View: From the Inspect View you will have the ability to print or export to PDF from each of the following tabs; Domain Profile, Screenshot History, Whois History, Hosting History, and SSL Profile.
  • Title and Summary: These are taken from the name and description (if any) that you have given to the investigation.
  • Investigation Path: A tabular representation of Search History, indicating what actions led to each set of results. If Notes were added to any node of Search History, the notes are included in the Report.
  • Stats: The contents of the Stats data panel are listed by section.
  • Visualization: The Visualization graph is depicted. (NOTE: for large search results, the visualization graph may not be practical to read on a printed page. In such cases, you can download the .png file directly from the Visualization Data Panel in order to have a zoomable, high-resolution image of the graph).
  • Pivot Engine: The data from the Pivot Engine is given in tabular format. The columns in this section of the Report correspond to the columns you see in your Pivot Engine view.

There are several things to know about how Reports are generated:

  • The report is based on the current search. If you have revisited an earlier step of your investigation but want to report on the final step, be sure to click on that step in Search History before you generate the report.
  • The Stats, Visualization, and Pivot Engine Data Panels have to be active in order for their contents to be included in the report. Stats and Pivot Engine don’t have to be in focus, but they must not be completely closed.
  • The Visualization panel must be in focus (i.e. presented on your screen) in order to be included in the report. The report will show Visualization as it appears. This means you should center the graph and adjust the zoom level according to how you wish to see it on the printed page.
  • For searches with results over 500 domains, the report will reflect the page of results on Pivot Engine that you are currently viewing. For example, if you have moved Pivot Engine to Page 2, the report will print the domains and Visualization of the domains shown on that Pivot Engine page.

Appendix: Guided Search and URL Query Parameters

Guided search inputs are accepted in the Iris Investigate search bar, and by passing the guided search parameters to Iris Investigate via a URL. Guided search parameters and accepted operators are specified in this appendix below.

For example, searching Iris Investigate for 209242 to locate domains on the Autonomous System Number (ASN) ASN209242 will return results for the string 209242, including user accounts and email addresses.

However, the search string ip.asn:"209242" will instruct Iris Investigate to search only ASNs.

These two searches can also be accomplished with a URL query parameter. A generic search for 209242 is constructed as:

https://iris.domaintools.com/investigate/search/?q="209242"

A guided search for ASN209242, however, is written as:

https://iris.domaintools.com/investigate/search/?q=ip.asn:"209242"

Supported operators include:

OperatorDefinition
: or =Equal
!= or <>Not equal
>Greater than
>=Greater than or equal to
<Less than
<=Less than or equal to

Supported fields include:

ad: AdSense
cons: Contact Information
cons.cc: Contact Country Code
cons.nm: Contact Name
cons.ph: Contact Phone
cons.str: Contact Street
cr: Risk Score
cre: Create Date
domain: Domain
em: Email
empa: Email - Admin
empb: Email - Billing
ema: Email - DNS/SOA
empr: Email - Registrant
empt: Email - Technical
emw: Email - Whois
emd: Email Domain
exp: Expiration Date
current_lifecycle_first_seen: First Seen
ga: Google Analytics
ip: IP
ip.ip: IP
ip.asn: IP ASN
ip.cc: IP Country Code
ip.isp: ISP IP Information
mx: MX record
mx.mx: MX Server
mx.mxd: MX Server Domain
mx.mip: MX Server IP
ns.ns: Name Server
ns.nsd: Name Server Domain
ns.nip: Name Server IP
rp: Proximity
popularity_rank: Rank
rdd: Redirect Domain
r_n: Registrant
r_o: Registrant Organization
reg: Registrar
ssl: SSL Information
ssl.alt_names: SSL Alt Names
ssl.duration: SSL Duration (days)
ssl.em: SSL Email
ssl.sh: SSL Hash
ssl.issuer_common_name: SSL Issuer Common Name
ssl.not_after: SSL Not After Date
ssl.not_before: SSL Not Before Date
ssl.s: SSL Subject
ssl.common_name: SSL Subject Common Name
ssl.so: SSL Subject Org Name
server_type: Server Type
active: Status
tld: TLD
tags: Tags
title: Website Title
whois: Whois Record

Part II