Anomali: Iris App¶
Introduction¶
The DomainTools Iris App for Anomali delivers a critical subset of DomainTools Iris data, including pivot enrichment, context enrichment for domains, and context enrichment for IPs, emails, and SSL certificates, directly inside the Anomali ThreatStream platform to enable rapid in-context assessments of domain name observables and discovery of connected infrastructure.
Powered by the DomainTools Iris Investigate API—included with most enterprise subscriptions.
Getting started¶
To activate the enrichment, you need a DomainTools API username and API key. If you have API keys for the original DomainTools Anomali (v1.0) integration, you may need a new API key. Contact your DomainTools account manager if you need help obtaining access, or email enterprisesupport@domaintools.com.
Activate the DomainTools Iris App within Anomali:
- In the top navigation bar, select Settings > Integrations.
- Activate the box labeled DomainTools Iris.
- Enter your DomainTools API key and API username as requested.
Iris Investigate enrichment¶
The DomainTools App enriches the critical DomainTools dataset when you open an Observable under the Analyze > Observable tab.
The App adds a DomainTools Iris tab to the set of context enrichment options for supported entity types. Key intelligence includes:
- Domain Risk Score with supporting evidence and component scores from machine learning classifiers and proximity-based risk algorithms.
- Domain profile attributes from the DomainTools Iris dataset, including identity, infrastructure, web crawl, SSL details, and parsed RDAP registration data.
- Guided Pivot counts for each attribute to identify dedicated infrastructure, novel identities, and potential research pathways.
- An outbound link to the DomainTools Iris Investigation Platform to perform deeper analysis, with the domain name context preserved in the link to streamline the investigation process.
Domain observables¶
For a domain observable, the DomainTools Iris tab provides the following context enrichment in real time:
- Domain Risk Score with supporting evidence.
- Threat component scores from DomainTools machine learning classifiers and proximity-based risk algorithms.
- Domain attributes from the DomainTools Iris dataset, including identity, infrastructure, web crawl, SSL details, and parsed RDAP registration data.
- Guided Pivot counts for each attribute to identify dedicated infrastructure, novel identities, and potential research pathways.
- Guided Pivots within the Enrichments tab.
- Guided pivots within an investigation.
- An outbound link to DomainTools Iris Research Platform for deeper analysis, with context preserved in the link to streamline the investigation process.
IPs, emails, and SSL¶
Sourced from the Iris Investigate API, a list of connected domains, the domain Risk Score, and the domain age distribution are displayed for the same observable value.
DNSDB enrichment¶
The DNSDB enrichment panel provides passive DNS data for domain observables directly within the Anomali ThreatStream platform. Powered by Farsight DNSDB, this panel displays historical and near-real-time DNS resolution data associated with a domain, including records observed across the global DNS infrastructure.
To view DNSDB data, open a domain observable and select the DNSDB tab in the enrichment panel. The panel displays passive DNS records linked to the domain, helping you identify infrastructure changes, historical hosting patterns, and related domains.
Note
DNSDB enrichment requires an active DNSDB subscription. Contact your DomainTools account manager for access.
Pivot enrichment¶
The DomainTools Iris App for Anomali leverages Anomali's built-in graph utility capability to assist in researching connected infrastructure associated with an indicator.
To get started, add an entity of the supported type and right-click the node. You see a DomainTools Iris menu with options to pivot and obtain additional details or domains from the Iris Investigate API.
Supported attributes in pivot enrichment¶
| Observable Attribute | Pivot Types | Expected Results (if available) |
|---|---|---|
| Domain | Pivot Domain | Web hosting ASN Name server and Mail-server IP addresses - Web host Nameserver Mail server hostnames (as a URL) Registrant name (as a tag) Registrar name (as a tag) Email addresses WHOIS, SOA, or SSL SSL certificate hash (as a hash) |
| IP | Pivot NS IP Pivot MX IP Pivot DNS IP | Domain entities that share the IP address |
| Pivot Email | Domain entities that share the email address | |
| Hash | Pivot SSL Hash | Domain entities that share the SSL hash |
| URL | Pivot Name Server Host Pivot Mail Server Host | Domain entities that share the hostname |
Changelog¶
Expand changelog
| Version | Release Date | Summary |
|---|---|---|
| 1.1.0 | 2025-07-30 | - Added parsed RDAP registration data to Iris Investigate domain enrichment |
| - Added DNSDB passive DNS enrichment panel for domain observables | ||
| 1.0.6 | 2024-03-18 | - Updated pivot links with search directives |
| - Added new Iris fields: server_type; website_title; ga4; gtm_codes; fb_codes; hotjar_codes; baidu_codes; yandex_codes; matomo_codes; statcounter_project_codes; statcounter_security_codes; issuer_common_name; common_name; not_after; not_before; alt_names | ||
| - Added retry capability to minimize the query rate limit error for "pivot all" action | ||
| - Updated app metadata file and DomainTools logo Improved error/exception handling; formatting issues; several bug fixes | ||
| 1.0.4 | 2022-04-06 | - Under-the-hood error handling fixes. |
| 1.03 | 2021-08 | - Under-the-hood upgrade of Python2 components to Python3. |
| 1.02 | 2021-05 | - Adds the ability to open a guided pivot directly on the DomainTools Iris platform. Domain enrichment and pivoting will show results for the primary domain when a FQDN is presented. |
| - Improved error handling when pivots return too many results to display. | ||
| - Fixed support for additional entity types when pivoting on domains: name server, mail server, SSL certificate information, and registrant information. | ||
| 1.01 | 2020-07 | Improved error handling when pivoting or enriching domains with empty create_date or risk_score values. |
| - Improved error handling when pivoting or enriching domains with no results. |