Microsoft Sentinel: Iris Enrich

Overview

The Iris Enrich integration provides high-volume domain enrichment capabilities with the same comprehensive data as Iris Investigate, but optimized for faster processing. It supports up to 60 requests per minute, making it ideal for enriching large volumes of domain indicators.

Requirements

• A Microsoft Power Apps or Power Automate plan with custom connector feature
• An Azure subscription
• A DomainTools API Key provisioned for Iris Enrich

Note

Iris Enrich requires separate account provisioning from Iris Investigate. Contact your DomainTools account manager for access.

Installation

Install from Azure Marketplace

The Iris Enrich connector is included with the Iris Investigate solution:

1. Go to the DomainTools Iris Investigate for Microsoft Sentinel page
2. Select Get It Now
3. Follow the guided installation steps provided by Microsoft

Alternatively, the solution is available in Content Hub within Microsoft Sentinel.

Install Playbooks

Reference playbooks are available to automate common workflows.

To install a playbook:

1. Navigate to Automation → Playbook templates
2. Search for "DomainTools"
3. Select the desired Iris Enrich playbook
4. Select Create playbook
5. Follow the installation steps

Configure API Connections

After installation, each Logic App needs to be configured with your Iris Enrich API credentials.

1. Open each playbook in Logic App designer
2. On first use, select Change Connection then Add new
3. Enter your DomainTools Iris Enrich API username and key (include dashes)
4. Select Create then Save
5. On subsequent Logic App connections, simply select the existing connection

Configure Permissions

Each Logic App needs permission to add comments to incidents.

1. From the Sentinel environment, go to Settings → Workspace Settings → IAM → Add role assignment → Microsoft Sentinel Responder

!!! note If it reports disabled, an administrator may need to assist, or elevate your permissions to allow managing role assignments as outlined in the Azure technical documentation.

1. On the next screen, assign access to Managed identity → Select Members → Logic App
2. Select each playbook you just added
3. Select Review + assign
4. Select Microsoft Sentinel Responder under the role assignment
5. Select Managed identity, filter for the Logic Apps, and select each of the playbooks you just added
6. In case of any existing apps with permissions, a failure notice for the duplicate may appear that can be ignored

The app is now configured.

Available Playbooks

These playbooks are available in the Azure repository on GitHub.

Playbook	Description
DomainTools Iris Enrich Domain Playbook	Given a domain or set of domains associated with an incident, return whois, mail server, DNS, SSL and related indicators from Iris Enrich. Iris Enrich supports up to 60 calls per minute (compared to 20 on Iris Investigate) and requires separate account provisioning.

Available Actions

Action	Description
Enrich Domain	Retrieves the infrastructure and whois data associated with a domain or comma-separated list of up to 100 domains. The Iris Enrich endpoint supports up to 60 requests per minute.
Retrieve Account Information	Information of the active API endpoints, rate limits and usage for an account.

Using the Integration

Once the playbooks are installed, you can trigger them using the Automated Response section of Analytic rules in Sentinel. Verify that the incident contains items mapped as a host to get started.

After an incident is created (or as a shortcut for testing, you may right-click an existing incident with the appropriate entity type and re-run the automation). If run successfully, the output appears as a comment on the ticket.

Key Differences from Iris Investigate

Feature	Iris Investigate	Iris Enrich
Rate Limit	20 requests/min	60 requests/min
Use Case	Deep investigation with pivots	High-volume enrichment
Pivot Actions	Yes (15+ actions)	No
Data Returned	Full dataset	Full dataset
Account Provisioning	Standard	Requires separate provisioning

Using Domain Playbooks with DNS Domain Names

Referencing Microsoft's entity reference, the provided domain playbooks expect input type host.

You can modify them to use a DNS Domain name type. Starting with the logic app open in code view:

1. Find and replace _Get_Hosts with _Get_DNS (3 occurrences)
2. Find and replace /entities/host with /entities/dnsresolution (1 occurrence, under Entities_-_Get_DNS)
3. Find and replace @body('Entities_-_Get_DNS')?['Hosts'] with @body('Entities_-_Get_DNS')?['Dnsresolutions'] (1 occurrence)
4. For DomainTools_Iris_Enrich-Domain_Playbook:
5. Find and replace @variables('host_name') with @items('For_each_Host')?['DomainName'] (1 occurrence)
6. Find and replace @{variables('host_name')}.@{variables('dns_name')} with @items('For_each_Host')?['DomainName'] (1 occurrence)

Additional Resources

• Iris Enrich Connector Documentation
• Playbooks on GitHub
• Azure Marketplace