Iris Investigate: API Reference Guide¶
Overview¶
The Iris Investigate API is ideally suited for investigate and orchestrate use cases at human scale.
Consult the OpenAPI reference for the Iris API suite for more additional detail.
Key characteristics of the Iris Investigate API include:
- Dozens of domain name attributes on every result, including:
- Domain risk scores from proximity and threat profile algorithms
- RDAP, WHOIS, IP, active DNS, website & SSL data
- Counts of connected domains on most attributes
- Unified API endpoint for both domain profiles & pivot searches
- Support for batch processing and pagination
- Search by identity, IP, name server, mail server, SSL certificate, & more
- Offered with interactive Iris web app
Getting Started¶
API Endpoint¶
API Authentication¶
The Iris APIs share the same authentication mechanisms as DomainTools Feeds.
Credentials are linked to your organization's DomainTools enterprise account, which must be authorized for Iris Investigate.
Get started with Header Authentication by passing your API key in the X-Api-Key
header field (example below)
Query Limits and Testing¶
Query limits are inherited from and shared with Iris Investigate UI limits.
Note
Please test and configure with no-charge test queries.
Use no-charge test queries for configuration: ?domain=domaintools.com
and ?ip=199.30.228.112
.
Retrieve Domain Records with a Test Query¶
Submit a HTTP GET request:
Default records for domaintools.com
are returned as objects in the results
array.
{
"response": {
"limit_exceeded": false,
"has_more_results": false,
"message": "Enjoy your data.",
"results_count": 1,
"total_count": 1,
"results": [
{
"domain": "domaintools.com",
"whois_url": "https://whois.domaintools.com/domaintools.com",
"adsense": {
"value": "",
"count": 0
},
...
}
]
}
}
Search for a Set of Domain Names¶
Search for a single domain name:
Pass a comma-separated list of up to 100 domain names in a HTTP GET request:
Consider using a POST request for multiple domains:
curl -X POST 'https://api.domaintools.com/v1/iris-investigate/' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'X-Api-Key: YOUR_API_KEY' \
-d 'domain=domaintools.com,domaintools.net,example.com'
Use Base Search and Search Filter Parameters¶
Iris Investigate supports a set of base search parameters, and filter parameters. Base search parameters can be used on their own or in combination with each other, while filter parameters refine the base search.
Instead of a domain name, you can provide one or more search fields to the API, such as IP address, SSL hash, email, or more, and Iris Investigate will return any domain name with a record that matches those parameters. This enables “reverse” searching on one or more fields with a single API endpoint.
Search for all domains linked to the IP address 199.30.228.112
:
Queries across multiple parameters are interpreted as a logical AND query, meaning multiple parameters will narrow a search to a smaller result set. The Iris Investigate API does not currently support logical OR queries.
Domain records returned in the result set are identical to records returned from a query for one or more domain names. For example, consider using the guided pivot counts to surface new ways to expand the result set. Or, you could sort on the risk score (highest to lowest) to show the results to the end user with riskiest domains listed first.
Base Search Parameters¶
Parameter | Description | Supports WHOIS/RDAP Fields Search | Compare To |
---|---|---|---|
adsense | Google AdSense tracking code | ||
baidu_analytics | Baidu analytics code | ||
contact_name | Contact name from domain registration data | Yes | |
contact_phone | Contact street address from domain registration data | Yes | |
contact_street | Contact street address from domain registration data | Yes | |
domain | Apex domain | ||
Email address from the most recently available WHOIS record, DNS SOA record or SSL certificate | Yes - for registration emails | Reverse WHOIS | |
email_dns_soa | DNS SOA email | ||
email_domain | Apex domain portion of a WHOIS or DNS SOA email address | Yes - for registration emails | Reverse WHOIS |
Facebook/Meta tracking code | |||
google_analytics | Google Analytics tracking code | ||
google_analytics_4 | Google Analytics 4 tracking code | ||
google_tag_manager | Google Tag Manager tracking code | ||
historical_email | Email addresses from historical WHOIS records | ||
historical_free_text | Free text search of a domain's historical WHOIS records - compare to whois |
||
historical_registrant | Registrant names from historical WHOIS records | ||
hotjar | Hotjar tracking code | ||
iana_id | Registrar IANA code from most recent RDAP record for a domain | ||
ip | IPv4 address the registered domain was last known to point to during an active DNS check | Reverse IP | |
mailserver_domain | Only the registered domain portion of the mail server (domaintools.net) | ||
mailserver_host | Fully-qualified host name of the mail server (mx.domaintools.net) | Reverse MX | |
mailserver_ip | IP address of the mail server | ||
matomo | Matomo tracking code | ||
nameserver_domain | Registered domain portion of the name server (domaintools.net) | Reverse Nameserver | |
nameserver_host | Fully-qualified host name of the name server (ns1.domaintools.net) | ||
nameserver_ip | IP address of the name server | ||
redirect_domain | Find domains observed to redirect to another domain name | ||
registrant | Substring search on the WHOIS registrant field | Yes | Reverse WHOIS |
registrant_org | Substring search on the WHOIS registrant org field | Yes | Reverse WHOIS |
registrar | Exact match to the WHOIS registrar field | Yes | Reverse WHOIS |
search_hash | Encoded search from the Iris Investigate UI | ||
server_type | Most recent server type retrieved from screenshot gathering | ||
ssl_alt_names | Query elements/labels from a list of domains/subdomains in certificate Subject Alt Name lists | ||
ssl_common_name | Certificate Common Name | ||
ssl_duration | Certificate validity duration, in number of days | ||
ssl_email | Email address from the SSL certificate | ||
ssl_hash | SSL certificate SHA-1 hash | ||
ssl_issuer_common_name | Certificate issuer Common Name | ||
ssl_org | Exact match to the organization name on the SSL certificate | ||
ssl_subject | Subject field from the SSL certificate | ||
statcounter_project | Statcounter Project tracker code | ||
statcounter_security | Statcounter Security tracker code | ||
tagged_with_all | Domain tagged with all tags | ||
tagged_with_any | Domains tagged with a specific Iris Tag | ||
website_title | HTML title from most recent screenshot | ||
whois | Free text search of a domain's most recent WHOIS record - compare to historical_free_text |
||
yandex_metrica | Yandex tracker code |
Search Filter Parameters¶
These parameters can be added to any search in the Iris Investigate API, although they cannot be used on their own.
For example, search for domaintools.com
and domaintools.net
with a filter for a .net
TLD will surface domaintools.com
as a result:
Filter | Description | Supports WHOIS/RDAP Fields Search |
---|---|---|
active | true returns domains that have an entry in the global DNS, OR are listed as registered by the registry. false returns domains that are not in global DNS, AND are not listed as registered by the registry. Exclude filter to return all domains. |
|
create_date | Only include domains created on a specific date, in YYYY-MM-DD format | Yes |
expiration_date | Only include domains expiring on a specific date, in YYYY-MM-DD format | Yes |
first_seen_since | Matches domains with a first seen on or after an ISO8601-compliant date/time (including a timezone) | |
first_seen_within | Matches domains with a first seen within a specific number of seconds from when the request is made | |
ip_country_code | Country code for IP A-record | |
not_tagged_with_all | A tag or comma-separated list of tags. Filters for domain that are not tagged with any of the provided tags. | |
not_tagged_with_any | A tag or a comma-separated list of tags. Filters for domains that are not tagged with any of the provided tags. | |
rank | Popularity rank (replaces Alexa ranking) | |
risk_score | Domain Risk Score | |
server_type | The web server type | |
ssl_not_after | Validity end date for a certificate (YYYY-MM-DD) | |
ssl_not_before | Validity being date for a certificate (YYYY-MM-DD) | |
tagged_with_all | A tag or comma-separated list of tags. Filters for domain that are tagged with all of the provided tags. | |
tagged_with_any | A tag or a comma-separated list of tags. Filters for domains that are tagged with any of the provided tags. | |
tld | Limit results to only include domains in a specific top-level domain (i.e., tld=com , tld=ru ) |
|
website_title | The value of the website’s title tag |
Search and Filter within Parsed WHOIS and Parsed Domain RDAP Fields¶
Filter by a specific component within a parsed_whois
or parsed_domain_rdap
field. For example, filter by Create Date in Parsed WHOIS:
https://api.domaintools.com/v1/iris-investigate/?domain=github.com&parsed_whois:create_date=2007-10-09
Query Limits & Pagination¶
Too Many Results¶
Domains will only be returned if there are less than 10k matching domains. Use filter parameters to narrow your results.
Searches with >10,000 results return a HTTP 200
response and code: 413
in the response body. For example, this search for a common nameserver_domain
:
Returns:
{
"response": {
"error": {
"code": 413,
"message": "More than 10000 matched - you may need to refine your query."
},
"limit_exceeded": true,
"has_more_results": true,
"message": "Maximum 10000 returned - you may need to refine your query.",
"missing_domains": []
}
}
Paginated Results¶
Queries with with >500 and <10,000 results return HTTP 200
the partial results, with a default response of 500. For example:
This response snippet shows how it includes both "limit_exceeded": false
and "has_more_results": true
, which means that the request is within your response limit, and more results are available. It also returns the position
field to use for pagination.
{
"response": {
"limit_exceeded": false,
"has_more_results": true,
"message": "There is more data for you to enjoy.",
"results_count": 500,
"total_count": 1381,
"position": "f825bb76cd46471482e016f944b1131d",
"results": [
{
"domain": "vilamoda.com",
...
Use the position
Parameter to Page Through Results¶
Note that position
is both the field name, and the query parameter name. Using the position
string from the response object above, we page to the next 500 results:
https://api.domaintools.com/v1/iris-investigate/?redirect_domain=domaintools.com&position=f825bb76cd46471482e016f944b1131d
The final page of results is indicated by has_more_results
flipping to false
and a results_count
: <500.
Use the next
Parameter to Automatically Generate the URL for the Next Page of Results¶
Include next=true
for >500 results (with the default 500 response page size) and the response will include a next
field. The next
field appears below position
and contains the URL of the API call for the next page of results (including your query parameters).
A request for https://api.domaintools.com/v1/iris-investigate/?redirect_domain=domaintools.com&next=true
returns a response with the next
field:
{
"response": {
"limit_exceeded": false,
"has_more_results": true,
"message": "There is more data for you to enjoy.",
"results_count": 500,
"total_count": 1381,
"position": "c5eedcc23a144b88917adb8a6194d7a4",
"next": "https://api.domaintools.test2/v1/iris-investigate/?redirect_domain=domaintools.com&next=true&position=c5eedcc23a144b88917adb8a6194d7a4",
"results": [
{
...
The API will stop emitting the next
field in response to the next=true
parameter once it reaches the last page of results.
Use page_size
to Limit Page Size¶
The page size default is 500 and the page_size
parameter can make the page size smaller. The following example HTTP GET request URL specifies a page_size
of 100
:
Use sort_by
to Sort Results by first_seen_since
, create_date
, domain
, or risk_score
¶
Sorting defaults to descending order of first_seen_since
when no sorting method is specified, as in results for this query:
Use the sort_by
parameter to sort by:
first_seen_since
(default sort method; defaults to descending)create_date
(default: descending)domain
(default: ascending)risk_score
(default: ascending)
For example, use sort_by
to sort by risk_score
:
Use sort_direction
to Set the Sort Direction¶
Beginning with a query that sorts a list of domain results by risk_score
with default ascending order:
Now, but but with results in descending order with &sort_direction=dsc
:
https://api.domaintools.com/v1/iris-investigate/?redirect_domain=domaintools.com&sort_by=risk_score&sort_direction=dsc
This also works with create_date
and first_seen_since
.
Compare WHOIS and Domain RDAP Records (new in 2025)¶
By default, queries return standard registration data as part of the response root fields. Registration data is from either Domain RDAP or WHOIS, depending on which record is more complete.
Add a standalone set of parsed fields from the Domain RDAP and/or the WHOIS record to the response with the parameters parsed_domain_rdap=true
and &parsed_whois=true
. For example, extend the above example query for domaintools.com
by requesting Parsed Domain RDAP records in addition to the default response:
Submit a HTTP GET request:
The API response contains a results array. Each item in the array is a domain object, and within the object for domaintools.com
, the parsed Domain RDAP record is returned as a nested object under the key parsed_domain_rdap
."
{
"response": {
"message": "Enjoy your data.",
"results_count": 1,
"total_count": 1,
"results": [
{
"//": "This is the single domain result object, contained within the 'results' array.",
"domain": "domaintools.com",
"popularity_rank": 2622,
"active": true,
"create_date": {
"value": "1998-08-02",
"count": 871
},
"//": "... Other top-level attributes for the domain are truncated ...",
"parsed_whois": {
"//": "This is the nested object for the parsed WHOIS data.",
"registrar": {
"value": "eNom, LLC",
"count": 593475
},
"registrant_org": {
"value": "DomainTools, LLC",
"count": 3
},
"//": "... Other WHOIS fields truncated ..."
},
"parsed_domain_rdap": {
"//": "This is the nested object for the parsed RDAP data.",
"registrar": {
"value": "ENOM, INC.",
"count": 3448760
},
"registrant_contact": {
"name": {
"value": "REDACTED REGISTRANT",
"count": 9948449
}
},
"//": "... Other RDAP fields truncated ..."
}
}
]
}
}
Use Domain Tags as a Base Search or Filter Parameter¶
Use Domain Tags as a Search Parameter¶
Search for domains that have already been tagged within the Iris Investigate UI. All Tags created within your instance of the Iris Investigate UI are accessible via the API.
Use tagged_with_any
and tagged_with_all
to perform base searches on tags:
Scenario | Sample Parameter | Expected Result |
---|---|---|
Retrieve Domains matching one of the specified Tags | ?tagged_with_any=watch,monitor |
All Domains which have been tagged as ‘watch’ OR ‘monitor’ |
Retrieve Domains matching a list of Tags | ?tagged_with_all=block,dangerous,evil |
All Domains which have been tagged with all 3 tags – ‘block’ and ‘dangerous’ and ‘evil’ |
Use Domain Tags as a Search Filter¶
Limit base results by filtering for tagged domains:
Scenario | Sample Parameter | Expected Result |
---|---|---|
Filter result sets by only displaying Domains matching one of the specified ‘Tags’ | ?nameserver_domain=markmonitor.zone&tagged_with_any=watch,monitor |
Only list Domains which are tagged as ‘watch’ OR ‘monitor’ |
Filter result sets by only displaying Domains matching a List of ‘Tags’ | ?nameserver_domain=markmonitor.zone&tagged_with_all=block,dangerous,evil |
Only list Domains which are tagged with all 3 tags – ‘watch’ and ‘dangerous’ and ‘evil’ |
Filter result sets by excluding domains matching one of the specified ‘Tags’ | ?nameserver_domain=markmonitor.zone¬_tagged_with_any=watch,monitor |
Only list Domains which are not tagged with ‘watch’ or ‘monitor’ |
Filter result sets by excluding domains | ?nameserver_domain=markmonitor.zone¬_tagged_with_all=zerolisted,safe,trusted |
Only list Domains which are not tagged as ‘zerolisted’ and ‘safe’ and ‘trusted’ |
matching a List of ‘Tags’ | – | – |
Guided Pivots with the Iris Investigate API¶
Guided pivots help identify attributes that are shared with a relatively small number of other domain names. The smaller the count, the more likely the domains are to be related.
The Iris Investigate API delivers these counts for nearly every attribute in a domain response, on every domain record, even when processing a batch of domain names.
These counts are included in the API response as a property of the attribute, adjacent to the attribute value. This also explains why the value of a field is one level deeper than you may expect. For example:
ip:
[
{
address:
{ value: "199.30.228.112", count: 3 },
asn:
[
{ value: 17318, count: 101 }
],
country_code: { value: "us", count: 239988363 },
isp: { value: "Domaintools LLC", count: 108 }
}
]
Here, we identify the IP address 199.30.228.112
, ASN 17318
and ISP Domaintools LLC
as potential pivot points, or at the very least, as meaningful analytics to help profile the domain name. For example, IP addresses with very few other domains pointed to them often represent dedicated hosting controlled by the same entity.
In the Iris Investigate UI, we use a default threshold of 500 connections to decide which attributes to draw the user’s attention to. Consider starting with a similar threshold for your integration, but provide the user the option to choose a different threshold to match their use case.
Note that empty data elements will have a count of 0.
Monitoring newly active domains with the Iris Investigate API¶
The Iris Investigate API can be used as a powerful monitoring tool to detect newly active domains pointed to certain IPs, hosted on target name servers, redirecting to specific sites, and any other criteria that can be framed in an Iris Investigate API query.
This can be accomplished by adding either first_seen_since
or first_seen_within
to the API query (see details above for those parameters). The first seen is the date/time (in UTC) that DomainTools discovers a domain as newly active. A potential implementation may follow a pattern similar to this:
- Craft a search query in Iris Investigate that defines the attributes you want to monitor.
- Submit the query to Iris Investigate to obtain a baseline. Store the data in your own system.
- Periodically re-submit the same query, but with the addition of the appropriate 'first seen' parameter based on when you last queried.
Then:
- Compare to the stored baseline to find domains added or removed
- Iterate through domains that were already present in the baseline snapshot but were since updated in some way. Compare to their base records and note the differences.
- Store the additions, deletions, or updates as a new baseline, possibly preserving the previous values for historical tracking
This capability makes the Iris Investigate API a compelling replacement for DomainTools Enterprise API monitors that currently only return a single domain in their result: Name Server Monitor and IP Monitor. It also extends monitoring well beyond those endpoints to include monitoring on SSL attributes, tracking codes, registrar and more, with the additional option to narrow to specific TLDs with the tld= filter.
Retrieve Screenshots¶
Retrieve the most recent screenshot for a given domain with Iris Investigate (and other Iris) APIs in a two-step process:
Also consult the section on interpreting screenshot metadata, below.
1. Retrieve the Screenshot URL¶
Append queries with screenshots=1
to receive a screenshot
JSON object in the response.
For example, the following Iris API queries (with header authentication) include screenshot requests.
Example Queries for Screenshot URL Retrieval¶
- Iris Detect:
https://api.domaintools.com/v1/iris-detect/domains/watched/?screenshots=1
- Iris Enrich:
https://api.domaintools.com/v1/iris-enrich/?domain=example.com&screenshots=1
- Iris Investigate:
https://api.domaintools.com/v1/iris-investigate/?domain=example.com&screenshots=1
Query Parameters for Screenshot URL Retrieval¶
Query Parameter | Required | Type | Valid Values | Description | Example |
---|---|---|---|---|---|
screenshots |
yes | flag (1) | 1 |
Triggers screenshot object in response. | screenshots=1 |
Response Fields for Screenshot URL Retrieval¶
Output field | Type | Valid Values | Description | Example |
---|---|---|---|---|
ip_address |
string | null | IP address | The IP address from which the screenshot was taken. | 212.129.31.169 |
last_attempt |
string | ISO 8601 date-time format | The date and time the screenshot was last attempted. | 2025-02-17T15:34:55Z |
last_seen |
string | ISO 8601 date-time format | The date and time the screenshot was last observed | 2025-02-17T15:34:55Z |
screenshot |
object | JSON object | Details about the screenshot. | |
src |
str | URL | Link to the screenshot. | https://screenshots.ne.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fespn.com&ts=2024-03-28T21%3A48%3A37Z&token=dec12499e06b61d17175c683387307c9b751c71fbbbd797b8e094c2c288f2b31 |
timestamp |
string | ISO 8601 date-time format | The date and time the provided screenshot (in fullsize field) was obtained. |
2024-08-05T16:17:45Z |
Response Example for Screenshot URL Retrieval¶
"screenshot": {
"timestamp": "2025-03-07T19:53:44Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fdomaintools.com&ts=2025-03-07T19%3A53%3A44Z&token=2d6269e40f4bc48908b17d218e5647fc90c0034618e39ec20806910d3909785c",
"ip_address": "141.193.213.21",
"last_attempt": "2025-04-07T18:00:01Z",
"last_seen": "2025-04-07T18:00:01Z"
}
2. Retrieve and Optionally Resize the Screenshot Image via its URL¶
Use the src
URL in the returned screenshot
object to download the screenshot image. The URL already contains the required parameters domain
, ts
, rurl
, and token
. Optionally add resize_width
and crop_height
to resize the image.
Query Parameters for Screenshot Image File¶
Query Parameter | Required | Type | Valid Values | Description | Example |
---|---|---|---|---|---|
resize_width |
no | integer | Width in pixels | If the value is less than the width of the image, the image will be shrunk horizontally to the given resize_width, preserving the aspect ratio. | resize_width=500 |
crop_height |
no | integer | Height in pixels | If the value is less than the height of the image, the image will be cropped vertically to the given crop_height, removing pixels from the bottom of the image. | crop_height=500 |
Example Query for Screenshot Image File¶
api.domaintools.com/screenshot_image?domain=domaintools.com&ts=2025-04-30T14:32:10Z&resize_width=500&crop_height=500&rurl=https://www.domaintools.com/
Interpreting Screenshot Metadata¶
Use the last_attempt
, last_seen
, and timestamp
to interpret the screenshot.
To confirm that the most recent screenshot was gathered during the current domain lifecycle—and isn't from an older, historic screenshot—compare the screenshot's timestamp
with the domain's first_seen
value in the API response. If the timestamp
is later than first_seen
, the screenshot was taken during the current domain lifecycle.
Initial capture¶
The screenshot was successfully captured during the first and only attempt. Since there have been no subsequent checks, all timestamp fields are identical.
Relationships: timestamp
= last_seen
= last_attempt
Response example:
"screenshot": {
"timestamp": "2025-05-12T14:38:19Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fxumi.fr&ts=2025-05-12T14%3A38%3A19Z&token=5fbd3aa604682d26d9f1f69810a87bfd75ea25e56eadb3553cefcff2ba804f28",
"ip_address": "76.76.21.21",
"last_attempt": "2025-05-12T14:38:19Z",
"last_seen": "2025-05-12T14:38:19Z"
}
Gather attempt was duplicate of initial screenshot¶
DomainTools re-checked a domain after previously taking an initial screenshot. The result was identical to the existing image and no new screenshot was generated.
Relationships: timestamp
< last_seen
= last_attempt
timestamp
remains unchanged, preserving the original capture time.last_attempt
is updated to reflect the most recent screenshot check.last_seen
is updated to indicate the most recent time the image was confirmed valid.- Because no new image was needed,
last_seen
andlast_attempt
are equal.
Response example:
"screenshot": {
"timestamp": "2025-05-12T10:10:49Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fdomaintools.co.in&ts=2025-05-12T10%3A10%3A49Z&token=28d255010a09d1cc8a3326e1c1406971910293f09ddac0159eb35391f705be57",
"ip_address": "104.219.250.192",
"last_attempt": "2025-05-13T17:16:34Z",
"last_seen": "2025-05-13T17:16:34Z"
}
Recapture failed after previous successful capture¶
DomainTools successfully captured a screenshot on a previous attempt. The next attempt to capture the screenshot failed — the system was unable to retrieve a new image and could not confirm whether the content had changed.
Relationships: timestamp
= last_seen
, and last_seen
< last_attempt
timestamp
reflects the time the screenshot was originally captured.last_seen
is equal totimestamp
, because that was the last time a screenshot was successfully observedlast_attempt
is more recent thanlast_seen
, but the attempt failed
Response example:
"screenshot": {
"timestamp": "2023-12-19T22:17:10Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Ffixhelpdesk.com&ts=2023-12-19T22%3A17%3A10Z&token=8cd6edb822594a0aa485e72f5cbb5414a73b657f7438b770844f46fe886c4ea9",
"ip_address": "91.195.240.19",
"last_attempt": "2025-05-13T10:25:04Z",
"last_seen": "2023-12-19T22:17:10Z"
}
Duplicate capture followed by failed attempt¶
A screenshot was captured, and subsequently re-captured as a duplicate. A subsequent attempt to refresh the (duplicate) screenshot failed.
Relationships: timestamp
< last_seen
, and last_seen
< last_attempt
timestamp
reflects the original screenshot datelast_seen
is later thantimestamp
, indicating the image was revalidated as a duplicate on a later datelast_attempt
reflects a more recent failed attempt to recapture the screenshot
Example response:
"screenshot": {
"timestamp": "2022-07-02T10:03:43Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fdomaintools.ca&ts=2022-07-02T10%3A03%3A43Z&token=6fa06c07ff1b7206ae8f38aadaf4e11b8cf538b7625944e2813a72ebec2c6648",
"ip_address": "158.85.87.76",
"last_attempt": "2025-05-13T10:12:04Z",
"last_seen": "2024-05-22T10:11:09Z"
}
Integrating the Iris Investigate UI and the Iris Investigate API¶
The Iris Investigate Platform offers a rich UI to search and pivot through domain name data. Nearly all the data in the Iris Investigate “Pivot Engine” pane is accessible in the Iris Investigate API, and the most common research patterns can be easily accomplished with that API.
However, even with these capabilities in the API, there remains a number of scenarios where users can only meet their goals with the complete set of tools and resources offered in the Iris Investigate UI. These scenarios include:
- “OR” searches, or nested “AND” and “OR” searches across multiple fields and values.
- Ad-hoc investigations into a single domain’s hosting, WHOIS, or screenshot history
- Graph visualization and graph-initiated pivoting
- Passive DNS queries on IPs and hostnames
That means users may start their investigation in the Iris Investigate UI, but then expect to bring the results of their investigation into a third-party product. The search_hash parameter in the API makes this possible. Here’s how it works.
First, a user conducts an investigation in the Iris Investigate UI, potentially building a complex query to find all the connected infrastructure for a given domain name or threat actor. They access the Advanced Search in Iris Investigate and export the encoded representation of their search.
Next, the user provides this encoded string to your solution, and you craft an Iris Investigate API search with that string in the search_hash parameter. No other search parameters are required or supported (except the essential authorization parameters that should always be present). The Iris API “unpacks” the encoded search, runs the same query again, and returns the most up-to-date complete result set.
Last modified: Aug 7, 2025