Skip to content

Microsoft Sentinel: Iris Investigate

Overview

The Iris Investigate integration provides deep investigation capabilities for domain indicators, including whois, DNS, SSL, and related infrastructure data. It enables rapid enrichment and discovery of connected infrastructure through guided pivots.

Requirements

  • A Microsoft Power Apps or Power Automate plan with custom connector feature
  • An Azure subscription
  • A DomainTools API Key provisioned for Iris Investigate
  • A DomainTools API Key provisioned for Iris Enrich (optional, for enrichment actions or playbook)
  • A Farsight DNSDB API Key (optional, for Farsight co-enrichment playbook)

Installation

Install from Azure Marketplace

  1. Go to the DomainTools Iris Investigate for Microsoft Sentinel page
  2. Select Get It Now
  3. Follow the guided installation steps provided by Microsoft

Alternatively, the solution is available in Content Hub within Microsoft Sentinel.

Note

No special configuration is needed for DomainTools apps at this stage.

Install Playbooks

Reference playbooks are available to automate common workflows. The most straightforward one to begin with is the "Domain Risk Score" playbook.

To install a playbook:

  1. Navigate to Automation → Playbook templates
  2. Search for "DomainTools"
  3. Select the desired playbook
  4. Select Create playbook
  5. Follow the installation steps

Note

You can ignore the UserName field at this point. You will configure it in the next section.

URL Playbook Prerequisites

If installing the URL playbook, you must install the Azure Functions app to parse URLs to domains:

  1. Navigate to Sentinel → Automation
  2. Select the URL Enrichment Playbook
  3. Select the link in the description to deploy the Azure function app
  4. After installation, configure the function app:
  5. Navigate to Function app → Configuration → General settings
  6. Select Python 3.8
  7. Save the changes
  8. Navigate to Overview → Restart to restart the app

Configure API Connections

After installation, each Logic App needs to be configured with a DomainTools API key.

  1. Open each playbook in Logic App designer

!!! warning Due to the size of the app, the Domain Enrichment - DomainTools Iris Investigate logic app loading time can reach several minutes.

  1. On first use, select Change Connection then Add new
  2. Enter your DomainTools API username and key (include dashes)
  3. Select Create then Save
  4. On subsequent Logic App connections, simply select the existing connection

Configure Farsight DNSDB Connection

For the DomainTools_Iris_Investigate-With_Farsight_pDNS_Playbook, an additional step is required:

  1. Expand the check if results exist section
  2. Scroll to RData lookup with RRType and expand it
  3. Select Create connection
  4. Enter the Farsight DNSDB credentials
  5. Select Create then Save the Logic App

Configure Permissions

Each Logic App needs permission to add comments to incidents.

  1. From the Sentinel environment, go to Settings → Workspace Settings → IAM → Add role assignment → Microsoft Sentinel Responder

!!! note If it reports disabled, an administrator may need to assist, or elevate your permissions to allow managing role assignments as outlined in the Azure technical documentation.

  1. On the next screen, assign access to Managed identity → Select Members → Logic App
  2. Select each playbook you just added
  3. Select Review + assign
  4. Select Microsoft Sentinel Responder under the role assignment
  5. Select Managed identity, filter for the Logic Apps, and select each of the playbooks you just added
  6. In case of any existing apps with permissions, a failure notice for the duplicate may appear that can be ignored

The app is now configured. Repeat for any remaining playbooks you wish to install.

Available Playbooks

These playbooks are available in the Azure repository on GitHub.

Playbook Description
DomainTools Iris Investigate Domain Playbook Given a domain or set of domains associated with an incident, return whois, mail server, DNS, SSL and related indicators from Iris Investigate, highlighting fields where fewer than 500 (configurable) domains share an attribute.
DomainTools Iris Investigate Domain Risk Score Playbook Given a domain or set of domains associated with an incident, return the risk scores and adjust the severity of the incident if a high risk domain is observed. Add the risk scoring details in the comments of the incident.
DomainTools Iris Investigate Guided Pivots Playbook Given a domain, return whois, mail server, DNS, SSL and related indicators from Iris Investigate, highlighting, and automatically querying for related domains sharing an attribute with the one in the incident.
DomainTools Iris Investigate Malicious Tags Playbook Track the activities of malicious actors using the Iris Investigate UI, tagging domains of interest. Given a domain or set of domains associated with an incident, query Iris Investigate for information on those domains, and if a specified set of tags is observed, mark the incident as "severe" in Sentinel and add a comment.
DomainTools Iris Investigate URL Playbook Given a URL or set of URLs associated with an incident, return all DomainTools Iris Investigate data for the extracted domains from the URL as comments in the incident.
DomainTools Iris Investigate With Farsight pDNS Playbook Given a domain or set of domains associated with an incident, enrich the domain using the DomainTools Iris Investigate API, returning whois and infrastructure details. Subsequently retrieve associated subdomains from passive DNS information seen in Farsight's DNSDB. Farsight DNSDB API subscription is required.

Available Actions

Action Description
Investigate Domain Retrieves the infrastructure and whois data associated with a domain or comma-separated list of up to 100 domains. The Iris Investigate endpoint supports up to 20 requests per minute.
Pivot by MX IP Returns up to 500 domains served by a given mail server IP. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot by Nameserver IP Address Returns up to 500 domains served by a provided nameserver IP. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot by Registrant Name Returns up to 500 domains exactly matching the provided whois registrant field. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot by Registrant Organization Returns up to 500 domains exactly matching the provided whois registrant organization field. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot by SSL Hash Returns up to 500 domains with an SSL certificate matching a provided SHA-1 hash. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot MX Host Returns up to 500 domains with a mail server on a provided domain name. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot Nameserver Host Returns up to 500 domains served by a provided nameserver host. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Pivot SSL Email Returns up to 500 domains with a given email address on the SSL certificate. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Retrieve Account Information Information on the active API endpoints, rate limits and usage for an account.
Return Domains from Search Hash Import up to 500 domains from Iris Investigate into the Sentinel platform. From an active search, open Advanced→Import/Export Search and copy the hash. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Return Tagged With All Retrieves up to 500 domains tagged within the Iris Investigate UI. Given a comma-separated list of tags, returns domains that are tagged with ALL of the tags. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Return Tagged With Any Retrieve up to 500 domains tagged within the Iris Investigate UI. Given a comma-separated list of tags, returns domains that are tagged with ANY of the tags. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Reverse Email Returns up to 500 domains with an email address on the most recently available whois record, DNS SOA record or SSL certificate. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Reverse Email Domain Returns up to 500 domains with the domain portion of an email address on the most recently available whois or DNS SOA record. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.
Reverse IP Returns up to 500 domains that last resolved to a given IPv4 address on an active DNS check. Use the optional 'active' and 'date updated after' parameters to pre-filter the result set.

Using the Integration

Once the playbooks are installed, you can trigger them using the Automated Response section of Analytic rules in Sentinel. Verify that the incident contains items mapped as a host to get started.

The URL Enrichment playbook can also take entities with URL types.

After an incident is created (or as a shortcut for testing, you may right-click an existing incident with the appropriate entity type and re-run the automation). If run successfully, the output appears as a comment on the ticket.

Using Domain Playbooks with DNS Domain Names

Referencing Microsoft's entity reference, the provided domain playbooks expect input type host.

You can modify them to use a DNS Domain name type. Starting with the logic app open in code view:

  1. Find and replace _Get_Hosts with _Get_DNS (3 occurrences)
  2. Find and replace /entities/host with /entities/dnsresolution (1 occurrence, under Entities_-_Get_DNS)
  3. Find and replace @body('Entities_-_Get_DNS')?['Hosts'] with @body('Entities_-_Get_DNS')?['Dnsresolutions'] (1 occurrence)
  4. This step varies per playbook:
  5. For DomainTools_Iris_Investigate-Domain_Risk_Score_Playbook and DomainTools_Iris_Investigate-Malicious_Tags_Playbook:
    • Find and replace @variables('host_name') with @items('For_each')?['DomainName'] (1 occurrence)
    • Find and replace @{variables('host_name')}.@{variables('dns_name')} with @items('For_each')?['DomainName'] (1 occurrence)
  6. For DomainTools_Iris_Investigate-Domain_Playbook, DomainTools_Iris_Investigate-With_Farsight_pDNS_Playbook and DomainTools_Iris_Enrich-Domain_Playbook:
    • Find and replace @variables('host_name') with @items('For_each_Host')?['DomainName'] (1 occurrence)
    • Find and replace @{variables('host_name')}.@{variables('dns_name')} with @items('For_each_Host')?['DomainName'] (1 occurrence)
  7. For DomainTools_Iris_Investigate-Guided_Pivots_Playbook:
    • Find and replace @variables('host_name') with @items('For_each_Host_')?['DomainName'] (1 occurrence)
    • Find and replace @{variables('host_name')}.@{variables('dns_name')} with @items('For_each_Host_')?['DomainName'] (1 occurrence)

Additional Resources