Skip to content

Guided Pivots

Guided pivots help identify attributes that are shared with a relatively small number of other domain names. The smaller the count, the more likely the domains are to be related.

How Guided Pivots Work

The Iris Investigate API delivers these counts for nearly every attribute in a domain response, on every domain record, even when processing a batch of domain names.

These counts are included in the API response as a property of the attribute, adjacent to the attribute value. This also explains why the value of a field is one level deeper than you may expect.

Example Response

ip:
  [
    {
      address:
        { value: "199.30.228.112", count: 3 },
      asn:
        [
          { value: 17318, count: 101 }
    ],
      country_code: { value: "us", count: 239988363 },
      isp: { value: "Domaintools LLC", count: 108 }
    }
  ]

In this example, we identify the IP address 199.30.228.112, ASN 17318 and ISP Domaintools LLC as potential pivot points, or at the very least, as meaningful analytics to help profile the domain name. For example, IP addresses with very few other domains pointed to them often represent dedicated hosting controlled by the same entity.

Using Pivot Counts

In the Iris Investigate UI, we use a default threshold of 500 connections to decide which attributes to draw the user's attention to. Consider starting with a similar threshold for your integration, but provide the user the option to choose a different threshold to match their use case.

Note that empty data elements will have a count of 0.

Pivot Strategies

When analyzing pivot counts:

  1. Low counts (< 100): Strong indicators of related infrastructure
  2. Medium counts (100-500): Potentially meaningful connections worth investigating
  3. High counts (> 500): Common attributes that may not indicate direct relationships

See Also